XG Home VM v20 - Snort using all CPU with some random trigger

All,

I was unsure how to tell the difference between user and system CPU.  I've chosen to export fw/nat rules, factory reset, and import.  If I see the issue again, I'll follow up.

Thanks so far.

Bryan Lucas  I use a small J1900 based box at home as well as a VM running on a R620 using Hyper V. Both have significantly higher CPU usage vs V19. I tried a fresh install, but had the same results. V20 just seems more CPU hungry for some reason. It shouldn't be, but that will be for Sophos to figure out. You are not the only one seeing this though.

Could you show us the Monthly overview of stats of your CPU? 

That is a Azure Appliance. 

Vmware

Appreciated!  My VMWare environment has more than enough resources to handle increased mem usage.  The CPU spikes are what really concerned me.

Oh.  Duh.  User/System usage shows under diag graphs.  Sure.  Monthly won't help - I'll show yearly.  You can see the cpu spikes in the graph, and you can see corresponding spikes on other graphs (load, for example).  Other processes show a stall - disk graph.  My VMWare host shows a much higher spike than the XG diag graphs.  Some spikes caused all traffic through the device to stop.  Spike drop was usually due to me purging the device logs.

Thanks for the graphs. Can you please share logs (ips.log, syslog.log and top output) and access details when you observe cpu spike.

Does cpu spike drop when you purge the logs?

please follow https://doc.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Diagnostics/ConnectionList/SupportAccess/index.html to enable support access.

Good day!

Tried to PM  you back, but your profile doesn't allow it.  CPU spike disappears for a random amount of time after I purge logs and reboot.  A reboot with no purge didn't always resolve the problem.  Again, I've spun up a new VM, imported rules, and haven't experienced the issue again.  If you'd still like support access, let me know.  I'll share the string over PM once you allow it.

Thanks.

Good day!

Tried to PM  you back, but your profile doesn't allow it.  CPU spike disappears for a random amount of time after I purge logs and reboot.  A reboot with no purge didn't always resolve the problem.  Again, I've spun up a new VM, imported rules, and haven't experienced the issue again.  If you'd still like support access, let me know.  I'll share the string over PM once you allow it.

Thanks.

Sorry for that, I have changed the setting now. Please try PM again.
Good that you didn’t experience cpu spike in new vm, does old vm still up?

I like to check logs when CPU spike occurred.

Thanks.  I do still have the old VM, but it isn't active.  I can't have both boxes active & connected to the cloud at once for obvious reasons.

If you believe that the logs you need would have persisted through a console log flush and reboot, I'd be willing to schedule a time to have the old box active so you can poke.

Let me know.

Kindly switch back to the previous VM and let it run for a while. We can then verify the configuration and troubleshoot any active CPU spikes that may occur.

Are there any configuration differences in the new VM?

Did you do a backup / restore or XML Import/export? 

Unfortunately I can no longer switch back to the previous VM.  Good/bad news is that the new one is now doing the same thing.  Support key sent.  Will renew if needed.

XML import/export of FW and NAT rules with dependencies.  Figured the less data transferred the better.

Thank you for the access. 

I have checked you appliance logs and I do not find any events that can trigger CPU spike.

Also I can see that CPU increased from Jan 5 which is related to port1 rx traffic increase.

Can you please share graphs of CPU spike and Port1 traffic from the old VM to verify if that has any relation?