Enabled IPS policy causes slow login to Deep Security Manager (DSM)

Product / Version includes:

Deep Security 9.0

Last updated: 2025/05/08

Solution ID: KA-0006476

Category: Troubleshoot

Summary

Accessing the workstations took a long time when the IPS policy is activated on the domain controllers. When the IPS behavior is changed from "Prevent" to "Detect", the issue is gone.

The procedure below was used to troubleshoot but the issue remained:

On the DSM, double-click Base Policy and click Settings.
Navigate to Network Engine > Advanced Network Engine Settings.
Uncheck the default settings and change the values to the following:
Minimum Fragment Offset: 0
Minimum Fragment Size: 0
Maximum UDP Connections:2000
Save the new settings and deploy them to the clients.
On the DSM, choose one domain controller and one workstation.
Unassign the following IPS Rules:
- Windows Services RPC Client
- Windows Services RPC Server

The issue is caused by the improperly working DPI data channel despite its correct configuration.

To resolve the issue:

Login to the DSM console.
Go to Computers > Domain Controller.
Click Intrusion Prevention Rules and click Assign/Unassign.
Unassign the following IPS Rules:
- 1005067 - Identified potentially harmful client traffic
- 1005090 - Identified potentially harmful server traffic
Save the changes.
Login to Deep Security Virtual Appliance (DSVA) and run the following command to re-establish the IPS data channel:
$>sudo stop ds_filter
$>sudo rmmod vmxnet3
$>sudo modprobe vmxnet3
$>sudo /etc/init.d/ds_datachannel start
$>sudo start ds_filter
Then
$>cd /dev
$>ls

You should see the vmxnet_eth2_shm character device.
Restart the DSVA.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Enabled IPS policy causes slow login to Deep Security Manager (DSM)

Enabled IPS policy causes slow login to Deep Security Manager (DSM)

Product / Version includes:

Summary