Hi Dameon,

Thank you for your prompt reply.

I did go through sk98348 -(3-9) IPS optimization it shows that "Avoid setting protections to run in "Detect" mode - it might increase CPU consumption (without increasing the security)."

Also according to TAC engineer "Basing on sk98348 -(3-9) IPS optimization - setting the profile protections on Prevent will utilize LESS of the machine's resources, and provide a better performance."

So what are the methods of fine tune the IPS ? We had to fine tune the IPS cause we are getting following messages repeatedly 

Oct 24 12:06:55 2017 DC-IRDOFW1 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one memb
        er reported high CPU usage 5 seconds ago
        Oct 24 12:06:56 2017 DC-IRDOFW1 kernel: [fw4_1];FW-1: [cul_load_freeze][CUL - Cluster] CUL should be OFF (short timeout of 10 seconds expired) but at least one memb
        er reported high CPU usage 6 seconds ago

Thanks 

I suppose in general there is a little less of a performance impact because packets are dropped and don't egress an interface.

Some other suggestions for tuning are here: Best Practices - IPS 

Thank you Dameon

If CUL is getting invoked, your CPUs are getting pounded.  You need to figure out if it is happening in process space (us) or in kernel space (sy/si/hi) for starters with the top command.  If in process space you should be able to see what process(es) are beating up the CPU and take action to fix it.  If the high utilization is in kernel space, run enabled_blades to see which blades you have active and post it here. 

To conclusively see if it is IPS and not some other blade causing the high CPU, run ips off and see if the idle percentage immediately improves.  Don't forget to turn IPS back on!

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Hi Tim,

Thank you for your thoughts 

Please find the outputs Active and Standby device

Active 

enabled_blades
fw urlf av ips anti_bot

top - 09:24:48 up 4 days, 6:42, 1 user, load average: 0.58, 0.77, 0.72
Tasks: 123 total, 3 running, 120 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.1%us, 0.4%sy, 0.0%ni, 83.5%id, 0.0%wa, 0.9%hi, 14.1%si, 0.0%st
Mem: 4043336k total, 3655204k used, 388132k free, 55032k buffers
Swap: 10514532k total, 592k used, 10513940k free, 631532k cached

PID USER PR NI VIRT RES \SHR S %CPU %MEM   TIME+         COMMAND
7763 admin 15 0     0       0       0    R    18        0.0    569:29.98      fw_worker_1
7764 admin 15 0     0       0       0    R    16        0.0    557:48.79      fw_worker_2
7762 admin 15 0     0       0       0    S     14       0.0    593:00.09      fw_worker_0
8897 admin 15 0   343m 104m 30m S    3        2.6       42:51.97          cpd
9373 admin 15 0   1397m 969m 26m S  1        24.6     97:06.83       fw_full

Standby

enabled_blades
fw urlf av ips anti_bot

top - 09:25:02 up 4 days, 6:14, 1 user, load average: 0.08, 0.02, 0.01
Tasks: 123 total, 2 running, 121 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.2%us, 0.2%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 4043336k total, 3472300k used, 571036k free, 200604k buffers
Swap: 10514532k total, 568k used, 10513964k free, 551636k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7514 admin 15 0    0       0       0    R       1          0.0 5:57.76 fw_worker_0
7515 admin 15 0    0       0       0    S       0          0.0 6:40.10 fw_worker_1
7516 admin 15 0    0       0       0    S       0          0.0 6:25.12 fw_worker_2
9139 admin 15 0 1384m 959m 26m S    0       24.3 67:45.25 fw_full

What is the hypothetical performance hit if you had the IPS blades turned on but had all of the signatures set to inactive?

Its basically doing the same as if IPS blade was not enabled at all but I assume that there is still a CPU/Memory hit in that case?

I know it would be ridiculous to have the blade on and all signatures inactive but curious.....

That is probably a question for R&D, but I imagine there would be a memory hit at minimum to load up all the parsers and other components IPS uses, at least for IPS ThreatCloud Protections which I'm pretty sure can all be set to inactive.  However it gets more sticky when we start talking about the 39 Core Protections/Activations and the Inspection Settings, some of which I know cannot be set to Inactive, just Detect or Prevent. 

If a signature/protection is set to Inactive in all TP profiles the gateway is using in the TP policy I'm pretty sure it is not even included in the compiled policy sent to the gateway, but note that setting a signature/protection to Inactive in an exception does not have the same effect, the signature/protection is still sent to the gateway in that case and it is still looking for it but if it gets tripped the gateway just ignores it if Inactive is set.

I have to disagree my friend.

In Prevent you kill the connection and you are done. In Detect you have to keep the connection open and keep spending CPU cycles on tracking that traffic.

I conceded this already, for the points you mentioned