This article explains how much traffic a security module can take before it is overloaded.
The datasheet for the Security Modules reports that
These performance numbers are based on specific test scenarios and may not be attainable, depending on the traffic mix.
Performance numbers are affected by the type of traffic and the security policy that is running.
Performance numbers for the security modules will be less than specified on the data sheet. While there is no exact number, it appears that with the recommended policy, each CPU can handle around 125-150Mb/s. Since there are two CPUs in each security module, that would yield 250-300 Mb/s per security module. Note that these are rough numbers, and the bigger the policy, the lower the performance. To avoid hitting these limits, administrators should keep the policy size as small as possible, and never use the policy all_attacks
.
To check the peak traffic going through the security module, issue the following command:
exec sm # ksh "scio subs status s0"
For cpu 0
Status for system 's0'
usage - 0% memory used- 20515kbytes current sessions - 10696 max sessions - 175000 failed sessions - 0 full drop count - 0
Status for subs 's0'
up since - Wed Feb 26 20:49:36 2014
Packets/second: 126 peak: 803 @ Wed Mar 5 23:06:00 2014
KBits/second: 264 peak: 735 @ Tue Mar 4 12:40:55 2014
Packets received: icmp 36917, tcp 33922677, udp 30606318, other 3 Current flows: icmp 0, tcp 14444, udp 6950, other 0
Current sessions: icmp 0, tcp 7222, udp 3475, other 0
The values that are shown in red show that the security module is overloaded. Note that this shows a security module at a very low traffic volume. Be sure to convert Kbits to Mbits for the traffic level.