Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 27 subscribers
  • Views 14492 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cluster XG 310 - Snort 100% - Firewall block all traffic and routing

SimoneMontagnani

Hi all,

 

I have an XG310 cluster, last updated last friday to v16 , hoping that something was fixed.

I experienced random firewall stop of functionality, I can access only to firewall web administration if I am on the same LAN subnet, other traffic is blocked , no routing, public web/mail sites blocked.

I have updated the XG Version all time long ( since April this year ) months that sometimes everything locks down...the only solution is a reboot of the device , after that everything is fine.

While the system is locked, I can access via SSH to the appliances and overtime the system is locked , I noticed snort process to 100% of cpu resources , if I kill that process everything restart instantaneously ...so maybe some IPS issue?  Anyone?

This is happening from the beginning of production, it's really frustrating , It's not a daily issue but at least one time every month...

Last but not least, I passed through the support with no luck months ago...

thanks in advance,

 

Simone

 



This thread was automatically locked due to age.
Parents
  • 0

    Simone,

    it is strange that support did not solve the problem. Is the IPS signature updated inside the Patterns?

    Can you share your "show ips-settings" from console?

    Did you try to use only one XG, without cluster and see if the problem persist? (Hope you have an A/P cluster).

    Thanks

  • 0 in reply to lferrara

    Thank you for the answer.

    No, support never fixed this issue. I opened the first ticket on May. The only explanation they tell me was that could be an IPS workload issue, nothing more.After that I tried to analyze the issue during the fault , but we are in production and I cannot spend a lot of time for live analysis...

     

    This is the output :

    -----------------------------------------------

    Sophos Firmware Version SFOS 16.01.1

    console> show ips-settings
    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 0
    maxpkts 80
    mmap off
    enable_appsignatures on
    http_response_scan_limit 65535


    -------------IPS Instances------------
    IPS CPU
    1 2

Reply
  • 0 in reply to lferrara

    Thank you for the answer.

    No, support never fixed this issue. I opened the first ticket on May. The only explanation they tell me was that could be an IPS workload issue, nothing more.After that I tried to analyze the issue during the fault , but we are in production and I cannot spend a lot of time for live analysis...

     

    This is the output :

    -----------------------------------------------

    Sophos Firmware Version SFOS 16.01.1

    console> show ips-settings
    -------------IPS Settings-------------
    stream on
    lowmem off
    maxsesbytes 0
    maxpkts 80
    mmap off
    enable_appsignatures on
    http_response_scan_limit 65535


    -------------IPS Instances------------
    IPS CPU
    1 2

Children
  • 0 in reply to SimoneMontagnani

    Simone,

    from the console, type: set ips maxpkts 8. In some patterns update, the maxpkts has moved to 80 (while the value should be 8).

    Once you have launched the command, the setting takes time to apply (few minutes) before you get the console again.

    Check if the CPU usage is running normally.

  • 0 in reply to lferrara

    Ok done! 

     

    What is maxpkts parameter ?

    Ido I have to set everytime I reboot?

     

    Simone 

  • 0 in reply to SimoneMontagnani

    MAXPKTS checks for a signature match in a desired number of packets. By default, this limit is set to 8, which means it will check a total of 16 packets, 8 on each side.

    MAXPKTS shoud not change even after a reboot.

    Anyway your IPS problem can be due to another issue. Mine is an advise.

  • 0 in reply to lferrara

    Hi ,

     

    Could Snort issue may be caused by IPS service , but the common reason could be there could be Flooding or high volume of traffic the device could handle.  I would need you to troubleshoot such issue Step by Step to determine the issue . 

    Step 1: Check your System information of your XG appliance in Console.

    1. sh ips-settings

    Results : Post

    2. sh advanced-firewall

    Results : Post 

    3. system diagnostics show disk

    Results : Post 

    4.system diagnostics show Memory

    Step 2: How many Concurrent users are in your network . 

     

    Step 3: Set Dos Settings 

    Source 

    TCP : none 

    UDP : 5000

    Syn: 2500

    Bypass UDP: 53 and UDP : 443 in Dos settings 

    Check the Drops under DOS and remove the system from your network . 

    Let us know if it would help and also Private message me the Service request so  I may check from our end. 

    Thanks and Regards

    Aditya Patel | Network and Security Engineer.

     

     

     

  • 0 in reply to Aditya Patel

    1. sh ips-settings

    console> sh ips-settings 

    -------------IPS Settings-------------

    stream on

    lowmem off

    maxsesbytes 0

    maxpkts 8

    mmap off

    enable_appsignatures on

    http_response_scan_limit  65535 

    -------------IPS Instances------------

    IPS CPU

     1  2

     

    2. sh advanced-firewall

    console> sh advanced-firewall

    Strict Policy: on

    FtpBounce Prevention: control

    Tcp Conn. Establishment Idle Timeout: 10800

    UDP Timeout Stream: 60

    Fragmented Traffic Policy: allow

    Midstream Connection Pickup: off

    TCP Seq Checking: on

    TCP Window Scaling: on

    TCP Appropriate Byte Count: on

    TCP Selective Acknowledgements: on

    TCP Forward RTO-Recovery[F-RTO]: off

    TCP TIMESTAMPS: off

    Strict ICMP Tracking: off

    ICMP Error Message: allow

     

     

    Bypass Stateful Firewall

    ------------------------

             Source              Genmask             Destination         Genmask

     

    NAT policy for system originated traffic

    ---------------------

    Destination Network     Destination Netmask     Interface       SNAT IP

     

     

    3. system diagnostics show disk

    console> system diagnostics show disk

    Partition        Utilization(%)

    ===============================

    configuration        16%

    content               2%

    report                4%

     

     

    4.system diagnostics show Memory

     

    console> system diagnostics show memory 

    MemTotal:       12178540 kB

    MemFree:         3747700 kB

    MemAvailable:    6027012 kB

    Buffers:          338024 kB

    Cached:          1945468 kB

    SwapCached:            0 kB

    Active:          7189552 kB

    Inactive:         848440 kB

    Active(anon):    5834476 kB

    Inactive(anon):    39600 kB

    Active(file):    1355076 kB

    Inactive(file):   808840 kB

    Unevictable:           0 kB

    Mlocked:               0 kB

    SwapTotal:       8791292 kB

    SwapFree:        8791292 kB

    Dirty:              3240 kB

    Writeback:             0 kB

    AnonPages:       5754296 kB

    Mapped:           171916 kB

    Shmem:            119780 kB

    Slab:             216564 kB

    SReclaimable:     167692 kB

    SUnreclaim:        48872 kB

    KernelStack:        5024 kB

    PageTables:        29360 kB

    NFS_Unstable:          0 kB

    Bounce:                0 kB

    WritebackTmp:          0 kB

    CommitLimit:    14880560 kB

    Committed_AS:   10987540 kB

    VmallocTotal:   34359738367 kB

    VmallocUsed:       46892 kB

    VmallocChunk:   34359608916 kB

    DirectMap4k:        7512 kB

    DirectMap2M:     1980416 kB

    DirectMap1G:    10485760 kB

     

     

    Step 3: Set Dos Settings 

     

    Here I have some thoughts . I have one main site under IPS protection that got a lot of traffic, during the day usually is around 20-40Mbit average, sometimes it goes UP to 60-70 Mbit but this is rare. Is there a false positive drop "good" traffic risk?  

    I will send my service request in private,

     

    Thanks 

    Simone