GX4 series appliances with large numbers of OpenSignature rules crash at firmware 4.4
Some users with large amounts of configured OpenSignature rules might experience crash behavior on their GX4 series appliances after moving to firmware 4.4.
The appliance stops generating events and the following error messages are displayed:
[WARNING]Network Security is disabled. -Engine was terminated unexpectedly due to internal error
Memory allocations have changed with the release of firmware 4.4. On GX4 appliances, this can result in Protocol Analysis Module (PAM) crashes when using a large number of OpenSignature rules.
Firmware 4.4 adds SNORT rule capabilities to the GX family of appliances. SNORT rule processing is handled separately from the PAM detection systems and requires its own memory allocation. To provide the SNORT engine with the needed memory resources, the firmware 4.4 upgrade reduces the memory allocation for PAM from 65% to 45% immediately upon the installation.
GX4 series appliances have 1 GB of RAM installed. OpenSignature rules are handled by PAM. Due to the limited memory on the appliance and the reduced PAM resource allocation, firmware 4.4 does not provide enough memory to load a large number of OpenSignature rules.
Note: This issue only applies to the GX4 series appliances. GX5, GX6, and GX7 series appliances are not impacted since they have sufficient memory to handle both PAM and SNORT with their current default memory allocations. GX3 series appliances have not changed their memory allocations but are not recommended for handling a large number of OpenSignature or SNORT rules due to performance limits.
Resolving the problem
Users who are impacted by this issue can add tuning parameters to the appliance to modify the memory allocation at firmware 4.4 or higher. Both of the following parameters are required and should be added to the Tuning Parameters policy for the appliance.
If the OpenSignature rules are later converted to SNORT rules and made part of the SNORT policy, the old OpenSignature Events policy should be undeployed and the memory allocation parameters should be set to 45/55 to provide SNORT with sufficient memory. Simply removing the parameters will NOT return the sensor to the default values.
Firmware 4.5 returns the GX4 memory allocation for PAM to 65% until you enable SNORT execution. Only then is the memory for PAM reduced to 45%. For users who want to implement OpenSignature rules on GX4 appliances, it is recommended to either use the tuning parameters in firmware 4.4 or upgrade to firmware 4.5 or higher. With either firmware version, be aware of the memory limitations and, if possible, only use either OpenSignature rules or SNORT rules, but not both.
Note: If the sensor is running firmware 4.4 and PAM has crashed, you can still add the parameters and deploy them. The sensor will return to normal operation several minutes after its next heartbeat loads the new policy without requiring a reboot.
More support for:
IBM Security Network Intrusion Prevention System
Software version: 4.4, 4.5, 4.6, 4.6.1, 4.6.2
Operating system(s): Firmware
Reference #: 1597700
Modified date: 14 November 2012
Translate this page: