I have a cluster of XGS2300 firewalls that do not seem to offload traffic via "fastpath" as they should. Sometimes it works great, but other times it seems like it doesn't offload anything.
CPU utilization sits around 40-50%. Currently the firewall has around 300-500 mbps of traffic going through it. 80% of this traffic is not encrypted and is inter-vlan, but Snort is using 30% of the CPU. This inter-vlan traffic is excluded from any type of inspection, but Sophos chose to still have Snort always inspect traffic, regardless of the firewall rule. Disabling SSL inspection and IPS brings the CPU down to around 7%.
So, my question is, does anyone know how to dig down into Snort and figure out why it is using so much CPU or find out why Snort is not offloading the traffic? Support is no help on this. I've called a few times, but didn't even get to the point of opening a ticket. They just say it's working as designed. I just can't accept that answer with a box that is supposed to 1,450 mbps of SSL/TLS inspection, but is choking on 500 mbps of non encrypted traffic.
They are running V18.5.3. I have tested V19 GA as well, but no difference. I downgraded back to V18.5.3 until V19 is proven stable.
Mike
This thread was automatically locked due to age.