IPS Troubleshooting
IPS Profile and Detect Mode
When you run the IPS recommended profile, most of the critical and high signatures are in inactive or detect mode.
But still there could be a high cpu performance impact even when you're only in detect mode.
In prevent mode you kill the connection and you are done.
In detect mode you have to keep the connection open and keep spending CPU cycles on tracking that traffic.
So detect mode maybe is using higher cpu cycles.
R80.x Performance Tuning Tip - DDOS
R80.10 IPS Best Practices
CP_R80.10_IPS_BestPractices_Guide.pdf