Internet traffic stops every time XG has an IPS or ATP update

I've looked into this further but it doesn't seem to be limited to that one site. I checked our own site and that dropped all traffic for about 40s during an ATP update (I presume it was for a shorter period because it is an XG 230 and the update would have completed quicker).

Hi JasP,

After a talk with the support, I've found out anything that makes the IPS (Snort) service restarts will make your firewall drop packets.

Well, I've been facing a issue where creating a custom IPS signature, Snort would restart bringing a lot of packets down with it, after a while I've saw the same thing happens over IPS/ATP updates. This issue is a lot more noticeable on low-end CPUs since It takes a while to restart Snort.

In v17.5 It would primarily drop only the traffic that had IPS within a policy, now on v18 It's even worse because if your doing TLS Decryption half of the decrypted traffic gets dropped and you have to refresh the entire page over the browser.

The answer by them has - some traffic will get dropped while restarting Snort, so they will add this information at the Docs.

Thanks!

Hi JasP,

After a talk with the support, I've found out anything that makes the IPS (Snort) service restarts will make your firewall drop packets.

Well, I've been facing a issue where creating a custom IPS signature, Snort would restart bringing a lot of packets down with it, after a while I've saw the same thing happens over IPS/ATP updates. This issue is a lot more noticeable on low-end CPUs since It takes a while to restart Snort.

In v17.5 It would primarily drop only the traffic that had IPS within a policy, now on v18 It's even worse because if your doing TLS Decryption half of the decrypted traffic gets dropped and you have to refresh the entire page over the browser.

The answer by them has - some traffic will get dropped while restarting Snort, so they will add this information at the Docs.

Thanks!

Thanks for the info Prism

So, in summary, the way they handle updates is crap and their solution to the problem is to document the fact it is crap!

If that is the behaviour then an obvious solution is to be able to specify a time period to check for IPS and ATP updates, then it can be scheduled out of hours. All you can do ATM is turn automatic updates on or off.

JasP said:

If that is the behaviour then an obvious solution is to be able to specify a time period to check for IPS and ATP updates, then it can be scheduled out of hours.

Well, don't hold your breath.

People have been asking this since 2016, by the rate that things are moving we will see this really advanced feature by the year 2026.

Hi Jasp,

you can change the update frequency from rvry 15 minutes out to every 2 days or as you said by manually starting the process.

A question which PMStuart has not addressed or maybe even been asked is this not an issue with the UTM?

Ian

Hi ian

Thanks, I'm aware of this but this but it still doesn't when they run. I assume it is also applies to all the updates, including anti-virus updates, that don't cause and issue and I would like to update asap.