Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 27 subscribers
  • Views 14488 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cluster XG 310 - Snort 100% - Firewall block all traffic and routing

SimoneMontagnani

Hi all,

 

I have an XG310 cluster, last updated last friday to v16 , hoping that something was fixed.

I experienced random firewall stop of functionality, I can access only to firewall web administration if I am on the same LAN subnet, other traffic is blocked , no routing, public web/mail sites blocked.

I have updated the XG Version all time long ( since April this year ) months that sometimes everything locks down...the only solution is a reboot of the device , after that everything is fine.

While the system is locked, I can access via SSH to the appliances and overtime the system is locked , I noticed snort process to 100% of cpu resources , if I kill that process everything restart instantaneously ...so maybe some IPS issue?  Anyone?

This is happening from the beginning of production, it's really frustrating , It's not a daily issue but at least one time every month...

Last but not least, I passed through the support with no luck months ago...

thanks in advance,

 

Simone

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Simone and Welcome to Sophos Community,

    If the IPS service i.e., snort is taking high CPU usage, please check if any IPS policy is applied on the firewall rules. Check the IPS live logs and verify if any signature is detected frequently. If it is showing lots of IPS alerts with only one or two IPS signatures, please disable the same signatures from the IPS policy.
     
    Thanks
  • 0 in reply to sachingurung

    Hi sachingurung,

     

    I tried to take a look to the logs when the problem occur , but like I said I haven't much time, next time I will try to take a look more closely to the IPS logs in Log viewer. At this moment the situation is quiet enough so I cannot identify a specific problem.

    You say to disable frequent showing signatures eventually , do you mean for testing? In this case it's ok , otherwise I cannot disable IPS signatures permanently...this cluster I got ( 2xXG 310 ) is far overestimated for our network connection limits so I'm expecting easy manage of antivirus and IPS engines with our load even at the maximum speed...

     

    Regards,

    Simone

Reply
  • 0 in reply to sachingurung

    Hi sachingurung,

     

    I tried to take a look to the logs when the problem occur , but like I said I haven't much time, next time I will try to take a look more closely to the IPS logs in Log viewer. At this moment the situation is quiet enough so I cannot identify a specific problem.

    You say to disable frequent showing signatures eventually , do you mean for testing? In this case it's ok , otherwise I cannot disable IPS signatures permanently...this cluster I got ( 2xXG 310 ) is far overestimated for our network connection limits so I'm expecting easy manage of antivirus and IPS engines with our load even at the maximum speed...

     

    Regards,

    Simone

Children