SFOS 16.01.2 snort high cpu even with None in policy

I have the same issue, and open case already.

Stop IPS service can resolve the issus.

But what should I do when user want to enable IPS function on some firewall rules?

I am waiting for Sophos response...

Dear All,

After support team working for two months, they resolved the issue of mine finally.

And I also found that the snort procedure doesn't appear in CPU utility.

Support team reply as following.

Ans-> There can be multiple reason why the snort is not listed on the CPU utility, but at the same time, if it is not listed doesn't mean there is any problem.

The issue resolved finally...

Dear All,

After support team working for two months, they resolved the issue of mine finally.

And I also found that the snort procedure doesn't appear in CPU utility.

Support team reply as following.

Ans-> There can be multiple reason why the snort is not listed on the CPU utility, but at the same time, if it is not listed doesn't mean there is any problem.

The issue resolved finally...

Although the command 'set ips ips-instance add IPS cpu 1' can resolve the issue.

But I found that the setting will disappear after reboot.

I can't ask my customer to do this every time when the appliance reboot.

Is there a way to set it permanently?

It so sad...

Hi Shunzeelee,

If the changes are reverted after a reboot, contact support to inspect it and escalate it to the developers.

Thanks

Support team give us the following command ,
set ips ips-instance apply

And it works finally!

The setting will not lost after reboot.

thanks~

Thanks ShunzeLee to sharing your issue and support to everyone on community. Many users will benefit of your commitment and patience!

Regards

Hello ShunzeLee,

Could you please let me know approx. how many Mbps/Gbps. pass through your XG and approx. number of users? Sophos support also increased the number of CPUs  in my XG-430 (in my case up to 3), but didn't have that much luck, so far a little over 3 week waiting...

Thanks,

R.

30 users and it's throughput as following

Support team used about 2 months to resolve the issue...

Same issue for 2+ month but zero suggestions from support in our case.  I dont understand why I should experiment with our in-production box (experiment=try different suggestions from forum guys). In my vision sophos should have their test stand with all the SG/XG models and firmwares available to reproduce this issue (or not) and test their suggestions on the test lab.

Last week they switched us to new L1 support (4th one to be exact)... this is such a bollocks.

p.s. and every new L1 guy starts same song "Hello sir, let me connect to your box using your desktop/teamviewer or whatever ****". This is such annoying situation, I dont understand what im paying for.

I agree with you all.

I have seen several users and threads about ips performance and issue that I really hope v17 will fix all of them.

Into v17 ips will be improved.

Using XG without ips inside certain environments is almost useless.

Apart logging, XG is suffering for ips performance.

Let's wait v17!

I can't agree with you anymore.

Has anyone tried 16.05.1MR1?,  I was just told that "development" is suspecting that it will solve my issues... (we can have up to 3K devices concurrently and push > 1Gbps)

As per the release notes (community.sophos.com/.../sfos-16-05-1-mr1-released)

• NC-14599 [IPS] IPS constantly taking high CPU when deployed in discover mode

... this is he only entry that is IPS related, and I am not using discovery mode.

Since we are in bridge mode, testing is disruptive, and most likely won't have time to do it in the near future.

Just in case someone wants to give it a try, please let us know how it went.

R.