Hot!IPS Engine Running at 95%-99%

Author
ujnetsec
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/16 00:02:06
  • Status: offline
2018/04/16 02:49:26 (permalink) 5.4
0

IPS Engine Running at 95%-99%

Im expiriencing a similar problem, whereby one of our VDOMs in a 3000D FW with connects +- 50k users, max sessions is +-400k sessions, the CPU spikes at around 9am every morning when everyone is back at work, and this affects our filtering, but as soon as we disable SSL Certificate inspection, the CPU goes back to normal. SSL is configured to inspect only 443.
 
i have upgraded the IPS engine from 3.00430 to 3.00444, but this did not resolve the issue.
 
this only happens on one of our VDOMs, we have 7 VDOMs in total including the root VDOM which is the only that is running flow-based mode the rest are running in Proxy Mode. 
 
what could the issue be?
#1

2 Replies Related Threads

    romanr
    Platinum Member
    • Total Posts : 903
    • Scores: 30
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: online
    Re: IPS Engine Running at 95%-99% 2018/04/16 05:10:07 (permalink)
    0
    Hi,
     
    In a flow mode VDOM the ipsengine daemon will run all UTM features. Also Antivirus and Webfilter.
    In FortiOS 5.4 disabling Certificate Inspection will cause ipsengine not to run the webfilter on https traffic. So with your amount of users and sessions you could easily knock out even a 3000D with a webfilter depending on the actual user traffic. (certficate inspection on and webfilter assigned on a policy)
     
    For FortiPS 5.4 and 5.6 the actual ipsengine should be Version 3.00516 - which also did sovle some memory leaks sind 442/443.
     
    I'd strongly recommend you open a support ticket with FTNT!
     
    Br,
    Roman
    #2
    ujnetsec
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/04/16 00:02:06
    • Status: offline
    Re: IPS Engine Running at 95%-99% 2018/04/19 22:15:45 (permalink)
    0
    Hi Romanr 
     
    i have change the VDOM to run in Flow-Based mode, it is blocking http and https on when using the android default browser but when using chrome or firefox only https is blocked, i have logged a call with fortinet they say they are busy troubleshooting on their side, any idea what could cause this? i am run IPS engine v3.00444 and firmware v5.4.5 but tomorrow i am upgrading the firmware to v5.4.8. 
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5