SFOS 16.01.0 known IPS issue - Work arounds?

We have similar problem - with IPS service turned ON and even if its not configured on any of firewalls rules its constantly eating 1 cpu core (on XG115) and causing latency spikes with real-time traffic degradation (VOIP)

Already opened a case about this issue, waiting for an answer.

p.s. is it really a "known" issue? Where I can find it?

We have similar problem - with IPS service turned ON and even if its not configured on any of firewalls rules its constantly eating 1 cpu core (on XG115) and causing latency spikes with real-time traffic degradation (VOIP)

Already opened a case about this issue, waiting for an answer.

p.s. is it really a "known" issue? Where I can find it?

Hi, It is a known issue - release notes: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-1-released

"NC-8238   [IPS]              IPS Service drops legitimate traffic in very high load average conditions"

To me its pretty awful that its taken so long to get a fix out. I had to disable the IPS service on one installation. It seems fin on my Cyberoam Cr300 ing XP though, which is production so I am happy its not causing issues there.

I'm interested to hear the answer you are given :)

Our situation is nowhere near "in very high load average conditions" ))

We have XG115 and 2-5mbit of traffic with no spikes (+1-2 SSL VPN clients)

Im sorry to say that but im starting to understand why palo-alto cost x5-10 times more (because they have separate management and traffic boards in one box + FPGA, and of course better quality control)

Hi AleksandrIvanov, 

The Issue on this BUG is resolved with V16.01.1 , check if the issue persist

I think you are mistaken, as the issue is definately not resolved on 16.01.1 for me. I still have to disable IPS, or it drops all packets. 

It's still listed under "Known Issues" here: 

https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-1-released

Known Issues

NC-6315 [Clientless Access(HTTP/HTTPS)] Script based web forms of Web Server is not accessible with Clientless VPN

NC-12079 [Galileo Heartbeat] No heartbeat status displayed on control center with MAC End point

NC-13480 [Galileo Heartbeat] Heartbeat service taking High CPU due to same multiple UUID of End Point

NC-8238 [IPS] IPS Service drops legitimate traffic in very high load average conditions

NC-13538 [UI] Control center page is not properly displayed with IE 11

NC-13282 [Wireless] AP Deployment over IPsec VPN is not working

We are using SFOS 16.01.1 since it was released. Issue still here.

Same issue with VOIP/SIP/RTP traffic drop outs on a XG-105 (Possibly, on two of them)

Absolutely fine in v15. Then we got call quality degredation and drop outs of about 1-2 seconds.

We had to do a packet trace either side of the Firewall - and we could see that the Sophos was "holding on" to a bunch of packets for around 5 seconds before passing them on to the network - presumably due to the "IPS" function.

Note: Service was turned ON, but not configured on any rules, just like Aleksandr.

We stopped the IPS service and the problems have gone away.

The XG105 is still reporting a load average of 1.13, 1.19, 1.21 which could be considered 'high', but it's much better than it was.

One big question: Is there a way that we can make sure the IPS service stays stopped? Sophos support - is there something we can do in the advanced shell to disable it for now until this is fixed?

The real issue is being able to disable the various IPS rules for each firewall rule, rather than all or nothing.