We are having some problems with a XG-430 in bridge mode, which is deployed as an IPS to replace an old Sourcefire appliance. Performance starts to go down after 200Mbps, and really goes bad when it passes 400Mbps. This is bad news for us since we currently get sustained 800Mbps and can peak to 1.4Gbps (We use 10Gbps SFPs).
We were advised to upgrade from 16.01.2 to 16.0.5.0, were told it made "IPS improvements" and also change the value of IPS maxpkt size from 8 to 80:
Original (Default):
stream on
lowmem off
maxsesbytes 0
maxpkts 8
mmap off
enable_appsignatures on
http_response_scan_limit 65535
to:
stream on
lowmem off
maxsesbytes 0
maxpkts 80
mmap off
enable_appsignatures on
http_response_scan_limit 65535
As per some articles in this forum, I am seeing users recommending the opposite, go back to 8, and, as per the old Cyberoam documentation (is it still valid?), maxpkts value is for:
"default - pass first 8 packets of the session of each direction for application classification (total 16)"
... if am reading it correctly, doesn't this increase CPU utilization?
Any ideas, tips, recommendations, etc.? We haven't put the appliance back in-line, just want to minimize the times I have to put the appliance back in-line.
Thanks.
R.
This thread was automatically locked due to age.
