Knowledge Search


[ScreenOS] How to reduce the CPU utilization on the device when a large number of malicious sessions are received

  [KB12524] Show Article Properties


This article provides information on how to reduce the CPU utilization on the device, when a large number of malicious sessions are received.


CPU utilization is high due to a large amount of undesired traffic. This was determined by a higher than usual number of sessions being generated in the output of get perf session detail command. Further review of the event log or traffic log indicated that undesired traffic was reaching the firewall.



Malicious traffic can be blocked in ScreenOS 6.0.0r2 or later by creating a blacklist for the malicious traffic.

Note:The blacklist feature is not available on ScreenOS versions that are prior to 6.0.0r2 or on appliance devices (such as SSG devices). If you have an appliance level device or a system device that is running a version of ScreenOS below 6.0.0r2 and receiving undesired traffic that causes high CPU usage, then the traffic can be blocked on a device; before reaching the firewall. The remainder of this article is applicable only to system level devices that are running ScreenOS 6.0.0r2 or later. The supported devices for this feature are as follows:

  • ISG-1000

  • ISG-2000

  • NS-5200

  • NS-5400

To create a new blacklist entry via the WebUI or CLI, perform the following procedure:

Note: The following information is mentioned in the following documentation:

Refer to the CPU Protection with Blacklisting DoS Attack Traffic section in Chapter 3 for more information.  Even though the ScreenOS 6.0 Concepts and Examples Guide does not reference this information as of the publication date of this article, the same information below is applicable:


Configuration > CPU Protection > Black List > New:
Enter the following, then click OK:
ID: 1
Source IP/Netmask:
Source Port: 5
Destination IP/Netmask :
Destination Port: 7
Protocol: 17
Timeout: 90


set cpu-protection blacklist id 1 protocol 17 src-port 5
dst-port 7 timeout 90

Description of options:

  • Source Port:  The source port in a TCP or UDP session. Setting this to 0 matches all ports
  • Destination Port:  The destination port in a TCP or UDP session. Setting this to 0 matches all ports.
  • Protocol:  Set this to 0 to match any protocol. The source port and destination port are valid only when you have set the protocol as UDP or TCP
  • Source IP:  Address Mask Range is 0–32. Setting this to 0 matches all source IP addresses.
  • Destination IP:  Mask Range is 0–32. Setting this to 0 matches all destination IP addresses.
  • Blacklist ID:  The ID of the blacklists. Range is 0–31.

  • Timeout:  The time out for the blacklist entry in the range 0 to 600 minutes. If you set the timeout for a blacklist entry to 0, the security device never times out that entry. The security device saves only the permanent entries in the blacklist configuration.
Related Links: