OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: leo1d on August 10, 2021, 04:12:41 am
-
I noticed much slower performance in the GUI of the Services -> Intrusion Detection section since I upgraded to 21.7.1. Possibly 21.7, as I don't check the router every day and I have it check/auto updates daily.
Where I'm having issues:
If I click on Services -> Intrusion Detection -> Administration. The "Settings" tab would previously load in a second, this now takes a full 16 seconds to populate the settings.
If I go to Intrusion Detection -> "Policy" section, the "Policies" tab takes around 22 seconds to populate, where previously it would load in 1-2 seconds.
Some info:
Every other section loads very quickly as expected.
CPU usage is typically 1-3% usage, memory usage under 15% and tested with basically no network traffic going on.
Smart status on drive says ok.
I have rebooted my router with no luck.
I have 16 manual rule adjustments in the Policy -> "Rule adjustments" section, so I don't think this should be an issue considering how low resource usage is.
I didn't see any one post anything similar and I'm not sure how to isolate/troubleshoot this, so any tips is appreciated.
Screen shots: https://imgur.com/a/6atgixW
-
What is your memory utilization like? I'm thinking the amount of rules you have loaded could be causing the problem where the memory may be over utilized.
-
Are you accessing the OPNsense via hostname? 15 seconds delay sounds like resolver failure, maybe because of defunct IPv6...
Cheers,
Franco
-
Memory utilization is low, typically less than 15%.
I'm accessing the device via local LAN IP address, hardwired on the same switch.
Any other suggestions, please throw them my way.
Some tweaks:
Reinstalled suricata (system -> firmware -> packages), no affect.
I disabled Suricata (intrusion detection service) and it's still slow only in the intrusion detection section.
I turned on the ram disk settings (system -> settings -> miscellaneous), no affect, ram utilization is still less than 20%.
Troubleshooting I'll attempt:
I'll try stripping back intrusion detection settings, I have the Snort-vrt and pt-open plugins installed, I'll remove/disable all the rule sets so nothing is enabled and more default settings. This will take me a bit, so anyone on the edge of the seat for this, sorry to make you wait.
If this fails, I'll roll back to a backup config about 2 weeks ago where I know I wasn't having any issues.
If this also fails, I'll default the firewall.
And finally, if all else fails, I'll get a new ssd and re-install. Kind of want to avoid this, but practice makes perfect right?
-
Did you manage a lot of rules individually previously? config.xml might simply be quite large due to this.
Cheers,
Franco
-
Did you manage a lot of rules individually previously? config.xml might simply be quite large due to this.
Cheers,
Franco
Thank you and I found something.
I used to have a lot of manual rule adjustments, I deleted all but 16 rule adjustments and setup 7 policies to replace most of the manual rule adjustments when the policies feature was added in whatever version.
What I found:
Even with the intrusion services disabled, once I deleted my 7 policies under Intrusion Detection -> Policy -> Policies; the performance has greatly improved right away. The gui refresh rate dropped from 22 seconds to 4 seconds. Maybe how I created the policies were jacked up?
This is good for me now and I'll tweak these and play with the policies and I'm going to re-do all my rule downloads and such.
-
Good news. I'm not entirely sure why the policies slow this down, but if you can pin this to a particular policy please let us know.
Cheers,
Franco
-
Great leo1d. After you posted this, I decided to check on mine. Have the same issue. I'm going to use your method and see what happens. I don't modify that many rules, so I'm see the areas you pointed out.
-
Great leo1d. After you posted this, I decided to check on mine. Have the same issue. I'm going to use your method and see what happens. I don't modify that many rules, so I'm see the areas you pointed out.
Ok, I was able to get my performance back 100%.
I think the issue was with the Non-Free/PT Research and Snort-VRT rule sets. I'm only using the abuse.ch and ET telemetry rules. I can create policies, no issues.
What worked for me:
Services -> Intrusion Detection -> Administration -> Download tab -- disabled everything, saved, download & update rules so no rules
Once I did this, performance in the intrusion detection area was great again.
Other changes as I noticed issues with rule sets actually downloading (no date showing after download:
Removed Non-Free/PT Research plugin and ruleset
Removed snort-vrt ruleset plugin and ruleset - I generated a new code and still no luck getting this to work
Download & update rules
Prior to removing these two rule sets, the administration -> rules tab was not showing any rules at all, even though I could see them enabled and downloaded in the download tab.
What I haven't fixed, but not causing a problem
Services -> Intrusion Detection -> Policy -> Policies tab. I can still select rules that have been removed, i.e. the ET telemetry rules that I removed. They don't show up in the downloads tab, but they still appear as an option in the policies tab.