Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 131693 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.01.2 snort high cpu even with None in policy

CyberA

Not sure if this is related to 16.01.2, or some pattern update, but shortly after I updated on 11/29 my CPU usage has more than doubled with no changes to configuration other than the 16.01.2 update (and probably some behind-the-scenes pattern updates).

 

 

I didn't even know the CPU was under load until the effects yesterday 12/7 when my traffic was screeching slow. When I logged onto the console snort was taking 100% CPU!

I checked a few links from the board and found my maxpxts was 80 so I adjusted that to 8 which has helped a lot keeping snort to around 60-70% CPU but the system is definitely running hotter than usual (compare to the previous SFOS 16.01.1).

It also seems like vlan routing (zone-to-zone) policies influence snort (some sort of pre-filtering?) even though IPS policy for that rule is set to None. Is there a way to exclude pre-filter snort traffic if the rule defines it as none?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    I have the same issue, and open case already.

    Stop IPS service can resolve the issus.

    But what should I do when user want to enable IPS function on some firewall rules?

    I am waiting for Sophos response...

  • 0 in reply to ShunzeLee

    Dear All,

    After support team working for two months, they resolved the issue of mine finally.

    They add a command 'set ips ips-instance add IPS cpu 1'.
     
    The command basically creates 2 instances of IPS, allowing the IPS to use the 2nd core of the appliance for processing of IPS traffic.

    And I also found that the snort procedure doesn't appear in CPU utility.

    Support team reply as following.

    Ans-> There can be multiple reason why the snort is not listed on the CPU utility, but at the same time, if it is not listed doesn't mean there is any problem.

     

    The issue resolved finally...

  • 0 in reply to ShunzeLee

    Although the command 'set ips ips-instance add IPS cpu 1' can resolve the issue.

    But I found that the setting will disappear after reboot.

    I can't ask my customer to do this every time when the appliance reboot.

    Is there a way to set it permanently?

    It so sad...

  • 0 in reply to ShunzeLee

    Hi Shunzeelee,

    If the changes are reverted after a reboot, contact support to inspect it and escalate it to the developers.

    Thanks

  • 0 in reply to sachingurung

    Support team give us the following command ,
    set ips ips-instance apply

    And it works finally!

    The setting will not lost after reboot.

    thanks~

  • 0 in reply to ShunzeLee

    Thanks to sharing your issue and support to everyone on community. Many users will benefit of your commitment and patience!

    Regards

  • 0 in reply to ShunzeLee

    Hello ShunzeLee,

    Could you please let me know approx. how many Mbps/Gbps. pass through your XG and approx. number of users? Sophos support also increased the number of CPUs  in my XG-430 (in my case up to 3), but didn't have that much luck, so far a little over 3 week waiting...

    Thanks,

    R.

  • 0 in reply to Remigio Lam

    30 users and it's throughput as following


    Support team used about 2 months to resolve the issue...

  • 0 in reply to ShunzeLee

    Same issue for 2+ month but zero suggestions from support in our case.  I dont understand why I should experiment with our in-production box (experiment=try different suggestions from forum guys). In my vision sophos should have their test stand with all the SG/XG models and firmwares available to reproduce this issue (or not) and test their suggestions on the test lab.

    Last week they switched us to new L1 support (4th one to be exact)... this is such a bollocks.

    p.s. and every new L1 guy starts same song "Hello sir, let me connect to your box using your desktop/teamviewer or whatever ****". This is such annoying situation, I dont understand what im paying for.

  • 0 in reply to AleksandrIvanov

    I agree with you all.

    I have seen several users and threads about ips performance and issue that I really hope v17 will fix all of them.

    Into v17 ips will be improved.

    Using XG without ips inside certain environments is almost useless.

    Apart logging, XG is suffering for ips performance.

    Let's wait v17!

Reply
  • 0 in reply to AleksandrIvanov

    I agree with you all.

    I have seen several users and threads about ips performance and issue that I really hope v17 will fix all of them.

    Into v17 ips will be improved.

    Using XG without ips inside certain environments is almost useless.

    Apart logging, XG is suffering for ips performance.

    Let's wait v17!

Children
No Data