Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 131674 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.2 snort high cpu even with None in policy

CyberA

Not sure if this is related to 16.01.2, or some pattern update, but shortly after I updated on 11/29 my CPU usage has more than doubled with no changes to configuration other than the 16.01.2 update (and probably some behind-the-scenes pattern updates).

 

 

I didn't even know the CPU was under load until the effects yesterday 12/7 when my traffic was screeching slow. When I logged onto the console snort was taking 100% CPU!

I checked a few links from the board and found my maxpxts was 80 so I adjusted that to 8 which has helped a lot keeping snort to around 60-70% CPU but the system is definitely running hotter than usual (compare to the previous SFOS 16.01.1).

It also seems like vlan routing (zone-to-zone) policies influence snort (some sort of pre-filtering?) even though IPS policy for that rule is set to None. Is there a way to exclude pre-filter snort traffic if the rule defines it as none?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi!

     

    I thought we were the only one in this dumb situation.

    All symptoms exactly as yours but in our situation this problem is critical(maybe in yours to)  We cant use "real-time" traffic  (voip/video) because of IPS engine enabled on sophos XG115 > High latency spikes lead to VOIP traffic degradation.

    Sophos support is a joke - we have opened this case more than a month ago and they just throwing us from L1 to L2 support without any solution.

    In the end we are stuck with quite expensive box (bought all the additional licenses) which is working only as a dumb router/firewall

    Now I understand that firewall is not where you should save money and we will swap this nonsense with Palo Alto asap

     

  • 0 in reply to AleksandrIvanov

    Alek,

    Did you create a qos policy for the voip traffic? Also ips should not be used to scan voip traffic but only to protect pbx, management server, etc.

  • 0 in reply to lferrara

    IPS enabled only as service, it is NOT enabled on any firewall rules.

    Also QoS is not needed when you are not reaching wan and/or port limit. (our traffic is about 2-3mbit max on our XG115)

    Everything else is by default.

    Im sorry but i think you too are not reading or seeing whole picture:

    everyone already wrote that simply enabled IPS service (just as service and not as configuration on firewall rule) is causing latency spikes, and those latency spikes causing real-time traffic degradation.

    p.s. why when someone talk about VOIP every support gets horny and try to ask about QoS? :)

  • 0 in reply to AleksandrIvanov

    Alek,

    My reply was to make sure that proper settings were into place and the problem was with "ips service".

    , can you take a look at this thread and come back here with a proper solution/answer?

    Ipservice is creating performance issues on some installations (even on hw appliance) . We expect to see a fix asap otherwise customers move away from XG.

  • 0 in reply to lferrara

    CaseID 6697114 (if you need one of course)

Reply Children