SFOS 16.01.2 snort high cpu even with None in policy

Question

Not sure if this is related to 16.01.2, or some pattern update, but shortly after I updated on 11/29 my CPU usage has more than doubled with no changes to configuration other than the 16.01.2 update (and probably some behind-the-scenes pattern updates).

I didn't even know the CPU was under load until the effects yesterday 12/7 when my traffic was screeching slow. When I logged onto the console snort was taking 100% CPU! 
 I checked a few links from the board and found my maxpxts was 80 so I adjusted that to 8 which has helped a lot keeping snort to around 60-70% CPU but the system is definitely running hotter than usual (compare to the previous SFOS 16.01.1). 
 It also seems like vlan routing (zone-to-zone) policies influence snort (some sort of pre-filtering?) even though IPS policy for that rule is set to None. Is there a way to exclude pre-filter snort traffic if the rule defines it as none? 
 Thanks

lferrara · Accepted Answer

Hi All, 
 another user ( Ady San ) had the same issue only on AMD CPU. Who is having the issue with Snort, is using AMD platform? 
 See this thread: 
 https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/83943/snort-takes-too-heavy-process-at-bridge-mode-not-used-ips-in-any-rule/317897#317897 
 Thanks

ShunzeLee · Answer

Dear All, 
 After support team working for two months, they resolved the issue of mine finally. 
 They add a command ' set ips ips-instance add IPS cpu 1 '. 
 
 The command basically creates 2 instances of IPS, allowing the IPS to use the 2nd core of the appliance for processing of IPS traffic. 
 And I also found that the snort procedure doesn't appear in CPU utility. 
 Support team reply as following. Ans-> There can be multiple reason why the snort is not listed on the CPU utility, but at the same time, if it is not listed doesn't mean there is any problem. 
 
 The issue resolved finally...

ShunzeLee · Answer

Although the command ' set ips ips-instance add IPS cpu 1 ' can resolve the issue. 
 But I found that the setting will disappear after reboot. 
 I can't ask my customer to do this every time when the appliance reboot. 
 Is there a way to set it permanently? 
 It so sad...

ShunzeLee · Answer

Support team give us the following command , set ips ips-instance apply 
 And it works finally! 
 The setting will not lost after reboot. 
 thanks~

Aditya Patel · Answer

HI AleksandrIvanov, 
 We have checked the issue and would suggest you to Upgrade the SFOS to latest HW-SFOS_16.01.2.SF300-222.