CPU issue

[zarcoff]

cpu issue with Smartdefence and the 'general http worm catcher' option which is the only option that is selected in Smartdefence.

When it's not ticked cpu at K/w is around 35% When it is selected the cpu goes to around 90%.
We are running r55ng, ipso 3.8, hfa_18, hotfix 771-build 11.

I will be checking to logs later on any ideas have you come across this befor.

Cheers
Zarcoff

[betski]

I think 35% CPU utilization is about the most you want to average anyway, without adding more defense features. When you hit peak times the firewall will really suffer.

Have you tried checking the 'Monitor only' box to see what affect this has?

Are you protecting web servers or all HTTP traffic?

[zarcoff]

Do you mean set it to log only

[betski]

no, i mean 'Monitor only'. which version are you using?

i think 'monitor only' option is new to NGX. worm catcher comes under the 'web intelligence tab' not the smart defense tab as it used to.

[zarcoff]

Using Checkpoint NG R55

[betski]

I found this on Check Point knowledge base which appears to be a related to R54 but may affect your version of IPSO.

Symptoms

CPU jumps to 100 percent when redirecting HTTP to port 80, and using SmartDefense Worm Catcher.

Environment Changes

SmartDefense HTTP parameters are set to Level 7: Cross-Site Scripting, HTTP Format Sizes, ASCII Only Response Headers, ASCII Only Request Headers, Peer to Peer, and HTTP Worm Catcher.

Cause

IPSO 3.8 will support enabling Flows with SmartDefense. IPSO 3.7 has a known issue with Flows and SmartDefense affecting performance.

Solution

This issue is resolved in NG with Application Intelligence R55. Upgrade to the current version.

[zarcoff]

Thanks Betski I will have a look.

[zarcoff]

Where using IPSO 3.8 34

[chillyjim]

NGX (R60-2) has a lot of SMDF improvements, esp R62. I would strongly recomend going to that.