Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[IDP] ISG-IDP Security Module performance guidelines

0

0

Article ID: KB29128 KB Last Updated: 30 May 2014Version: 1.0
Summary:

This article explains how much traffic a security module can take before it is overloaded.

Symptoms:

The datasheet for the Security Modules reports that

  • the ISG 1000 can handle 1Gb/s with two security modules
  • the ISG 2000 can handle 2Gb/s with three security modules

These performance numbers are based on specific test scenarios and may not be attainable, depending on the traffic mix.

Cause:

Performance numbers are affected by the type of traffic and the security policy that is running.

Solution:

Performance numbers for the security modules will be less than specified on the data sheet. While there is no exact number, it appears that with the recommended policy, each CPU can handle around 125-150Mb/s. Since there are two CPUs in each security module, that would yield 250-300 Mb/s per security module. Note that these are rough numbers, and the bigger the policy, the lower the performance. To avoid hitting these limits, administrators should keep the policy size as small as possible, and never use the policy all_attacks.

To check the peak traffic going through the security module, issue the following command:

exec sm # ksh "scio subs status s0"

For cpu 0
Status for system 's0'
usage - 0% memory used- 20515kbytes current sessions - 10696 max sessions - 175000 failed sessions - 0 full drop count - 0
Status for subs 's0'
up since - Wed Feb 26 20:49:36 2014
Packets/second: 126 peak: 803 @ Wed Mar 5 23:06:00 2014
KBits/second: 264 peak: 735 @ Tue Mar 4 12:40:55 2014
Packets received: icmp 36917, tcp 33922677, udp 30606318, other 3 Current flows: icmp 0, tcp 14444, udp 6950, other 0

Current sessions: icmp 0, tcp 7222, udp 3475, other 0

The values that are shown in red show that the security module is overloaded. Note that this shows a security module at a very low traffic volume. Be sure to convert Kbits to Mbits for the traffic level.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search