Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_DeBaggis
Employee
Employee

IPS bypass and Dynamic Balance

I hopefully have a quick question for you all regarding IPS bypass. If we turn on dynamic balance on a gateway that also has IPS bypass enabled will dynamic balance work in a manner that offloads the inspection to other workers before IPS bypass is triggered? We can set the bypass threshold to a higher percentage if needed, but I’m just trying to understand the mechanics here because we have gateways going into bypass for hours per day in some locations. From my understanding this should be a viable method to prevent bypass from engaging. I just want to confirm.

If this method will not prevent IPS bypass from being triggered is there any other feature available to force inspection to other workers before it is triggered? I have not come across anything so I’m curious to find out the answer.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

All it takes for IPS Bypass to be triggered is for one CPU to be high.
The whole purpose of Dynamic Balancing is to mitigate exactly that from happening.
I would therefore assume that enabling Dynamic Balancing would reduce the amount of time IPS Bypass would need to be triggered.
All bets are off if the issue is caused by an elephant flow, of course.

Chris_DeBaggis
Employee
Employee

Thank you. We have a solution coming for elephant flows so that should assist in that scenario. I appreciate the quick reply. 

0 Kudos
Timothy_Hall
Champion
Champion

Dynamic Balancing combined with Hyperflow being introduced in R81.20 should reduce the incidence of the IPS Bypass being activated. 

When IPS Bypass was first introduced in R70, firewalls had relatively few cores such as 2, 4, or even perhaps 8.  If one of them got saturated by IPS it would cause a noticeable impact and it was appropriate in that scenario to disable IPS on all cores because there were so few of them.  Unfortunately in todays world of 40+ core systems that methodology is completely inappropriate and essentially results in IPS being disabled on all cores all the time.  What really needs to happen is the IPS Bypass feature averaging the utilization of all cores when deciding whether to go into bypass mode.  Until that happens my recommendation is to leave the IPS Bypass feature off.  See my other response on this topic here which has some content from one of my courses:

https://community.checkpoint.com/t5/Security-Gateways/IPS-Bypass-is-triggered-even-when-CPU-utilizat...

 

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos