Hi there,
I've spent a little time testing the IPS offloading or load balancing behaviors while in a High Availability Cluster setup (Active/Active).
I've setup two VM's on a ESXi 6.5 physical host. VMs have all the same networks, nics, ram, disks and exact same overall ESXi VM configuration. The test is pretty simple, i've downloaded the same file from different sources concurrently from two different physical Windows machines behind the HA AA UTM cluster.
Here are my findings (screenshots represent the system status while both downloads were active) - IPS is effectively load balanced, one download hit one cluster node while the following download hit the next node CPU wise:
A view from the ESXi VM resources usage:
htop on the Slave node while downloading (ssh from Master through "ha_utils ssh slave"): 
htop on the Master node while downloading:
Downloads conducted from two different physical hosts downloading the same ISO, CentOS DVD everything from different mirror sources. http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1708.iso
UTM Cluster load and configuration status:
My summary is that the single threaded snort process is effectively split across the available cluster nodes thus multiplying the IPS processing power per nodes number (for me x2).
Although, I've had to reduce the amount of RAM per VM's (8 GB) compared to my usual single VM UTM which run with 16 GB this due to limited RAM resources on the ESXi host. I've had the feeling that with 16GB RAM I've been closer to my full ISP bandwidth (around 12 Mbps) reaching a steady 11.6 Mbps download speed. With 8GB RAM I've been reaching 10.6 Mbps or sometimes dropping down to 9 Mbps.
Of course, the next limitation factor is the actual bandwidth available at my ISP router. Meaning that i'll never cross 12 Mbps across the cluster...
Setup is still in place if you'd want more testings to be conducted.
Kind regards,
-M-
This thread was automatically locked due to age.