- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
I hopefully have a quick question for you all regarding IPS bypass. If we turn on dynamic balance on a gateway that also has IPS bypass enabled will dynamic balance work in a manner that offloads the inspection to other workers before IPS bypass is triggered? We can set the bypass threshold to a higher percentage if needed, but I’m just trying to understand the mechanics here because we have gateways going into bypass for hours per day in some locations. From my understanding this should be a viable method to prevent bypass from engaging. I just want to confirm.
If this method will not prevent IPS bypass from being triggered is there any other feature available to force inspection to other workers before it is triggered? I have not come across anything so I’m curious to find out the answer.
All it takes for IPS Bypass to be triggered is for one CPU to be high.
The whole purpose of Dynamic Balancing is to mitigate exactly that from happening.
I would therefore assume that enabling Dynamic Balancing would reduce the amount of time IPS Bypass would need to be triggered.
All bets are off if the issue is caused by an elephant flow, of course.
Thank you. We have a solution coming for elephant flows so that should assist in that scenario. I appreciate the quick reply.
Dynamic Balancing combined with Hyperflow being introduced in R81.20 should reduce the incidence of the IPS Bypass being activated.
When IPS Bypass was first introduced in R70, firewalls had relatively few cores such as 2, 4, or even perhaps 8. If one of them got saturated by IPS it would cause a noticeable impact and it was appropriate in that scenario to disable IPS on all cores because there were so few of them. Unfortunately in todays world of 40+ core systems that methodology is completely inappropriate and essentially results in IPS being disabled on all cores all the time. What really needs to happen is the IPS Bypass feature averaging the utilization of all cores when deciding whether to go into bypass mode. Until that happens my recommendation is to leave the IPS Bypass feature off. See my other response on this topic here which has some content from one of my courses:
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY