This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort CPU util on 17.5.6 MR6

Hi All,

Since upgrading to 17.5.6 MR6, we started to have users complaining about slow website access times. We currently have two XG 330 rev 2 in a HA active/passive config.

I created a HTTP/HTTPS bypass rule for the transparent proxy, showed a massive improvement in website access times. This was a single rule selecting my machine as IP, adding subsequent machines to this rule during peak load times, also showed an improvement in website access times.

I then went back to our two internet access rules for outbound for our org, and removed HTTP scanning, immediately the CPU dropped from 70% to around 20% util. Now we have NO http scanning rules setup on any of our rules, yet I am still seeing snort cpu util is pegged.

What gives?

This thread was automatically locked due to age.

0 James Lemon over 6 years ago

Just an update, a forgot to do ***-I in top, because it's a multi-core CPU. It's still high but, and I'm wondering why it's still right on the top with no HTTP scanning enabled? Also would I benefit from having both XG's in active/active?

Cheers.
Cancel
Vote Up 0 Vote Down

Cancel
0 SaschaParis over 6 years ago in reply to James Lemon

Hi JL

I wonder, what your IPS settings are ? Please post the output from the devcice console for "show ips-settings" - like I did below (Rev1. XG125 Appliance)

console> show ips-settings
-------------IPS Settings-------------
        stream on
        lowmem off
        maxsesbytes 0
        maxpkts 8
        mmap off
        enable_appsignatures on
        mmapfilepath var
        http_response_scan_limit 65535
        search_method hyperscan
        sip_preproc enabled
        sip_ignore_call_channel enabled

-------------IPS Instances------------
IPS CPU
1 0
2 1

And also which hardware you use. Obviously some Quadcore CPU with 12Gigs of Mem - Do you have a exact CPU type ?

/Sascha
Cancel
Vote Up 0 Vote Down

Cancel
0 James Lemon over 6 years ago in reply to SaschaParis

I believe CPU type is:

Intel Core i5 Quad Core 6500

That command does not exist under advanced shell, which is all i have access to currently.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 6 years ago in reply to James Lemon

What happens when you fail over to the other XG?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Ronak Sheth over 6 years ago in reply to James Lemon

Hello James Lemon,

This command is available in console. You can select option 4 when you connect XG using SSH or Telnet. Else you can also execute "cish" in Advance Shell to go to console.

Regards, Ronak.
Cancel
Vote Up 0 Vote Down

Cancel
0 James Lemon over 6 years ago in reply to Ronak Sheth

Many thanks Ronak, didn't know about cish.

Here is the output:

XG330_WP01_SFOS 17.5.6 MR-6# cish
console> show ips-settings
-------------IPS Settings-------------
stream on
lowmem off
maxsesbytes 0
maxpkts 8
enable_appsignatures on
http_response_scan_limit 65535
search_method hyperscan
sip_preproc enabled
sip_ignore_call_channel enabled

-------------IPS Instances------------
IPS CPU
1 0
2 1
3 2
4 3

console>
Cancel
Vote Up 0 Vote Down

Cancel
0 Kimberly Cooper over 6 years ago in reply to James Lemon

Agreed...Command does not exist under advanced shell.There are alternative ways to do it though.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jelle over 6 years ago in reply to Kimberly Cooper

Same here? https://community.sophos.com/products/xg-firewall/f/web-protection/113875/http-browsing-extreme-slow-after-update-sfos-to-17-5-6-from-17-5-3
Cancel
Vote Up 0 Vote Down

Cancel