IPS Analyzer Tool - How to analyze IPS performance efficiently
Table of Contents:
The IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.
The IPS Analyzer Tool is supported on R77 and above.
Collect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".
Compress the IPS statistics output folder on Security Gateway:
[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/
[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>
Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.
Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:
Open Windows Command Prompt
C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"
Review the output files:
The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:
"Threat Prevention Protection ID NUM"
If a significant portion of these entries are found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.
The tool can be downloaded from our CheckMates community here:
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.