Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] How to establish a performance baseline for the CVE-2017-5754 (Variant 3 / Meltdown) mitigation

0

0

Article ID: KB34131 KB Last Updated: 05 Apr 2019Version: 1.0
Summary:
This article informs administrators how to review the potential change to search performance in JSA  7.3.1 Patch 4 when CVE-2017-5754 (Variant 3/Meltdown) is enabled on JSA appliances.
Symptoms:
Administrators who install JSA 7.3.1 Patch 4 and enable CVE-2017-5754 (Variant 3/Meltdown) can expect performance degradation after they enable the remediation for the vulnerability. A performance assessment summary was established with the following results:
  • A 3% to 6% increase in CPU utilization has been observed across all workloads on appliances after the mitigation applied.
  • Search performance for most common search types has been observed to degrade by 0% to 10%, with the following exceptions:
    • Searches that use indexed criteria and match a moderate number of results (less than 10% of the total searched data set) are expected to be degraded between 3% to 20%.
    • Open-ended searches that have no limit applied to the query and return a very large number of results (30% of the total searched data set or more) are expected to be degraded by up to 2x.
    • The impact on data processing is estimated to be in the 0% to 20% range.
    • High availability on 1 GB network is not affected. The initial high availability setup speed and catch-up replication speed after fail-over will be lower on 10 GB network. However, the replication rate is still in the multiple hundreds MB/s, which is sufficient for real time replication.

 
Cause:
Administrators who upgrade to JSA 7.3.1 Patch 4 have the option to enable CVE-2017-575 (Variant 3/Meltdown) in their deployment during installation or as a post-installation procedure. To assess the change in performance, administrators can run common searches before they install JSA 7.3.1 Patch 4 to establish a baseline of common search duration. The baseline search duration can be compared to the results when the remediation for CVE-2017-5754 (Variant 3/Meltdown) is enabled.  For more information about the patch install option and enabling or disabling the mitigation, please see KB34127 - ‚Äč[STRM/JSA] mitigation for CVE-2017-5754 Variant 3/Meltdown can cause performance issues  
Solution:
Before you complete the upgrade to JSA 7.3.1 Patch 4 or after disabling the mitigation, log in to the JSA Console.
  1. Click the Log Activity tab.
  2. Run a search.
  3. When the search completes the Duration field defines how long the search took to complete. To view the duration for each appliance in the deployment, click More Details.
  4. Record these values or take a screen capture of the Managed Search Results interface as it includes the overall search duration.
    1. Log Activity > Search > Managed Search Results.
    2. Network Activity > Search > Managed Search Results.

Install JSA 7.3.1 Patch 4 and/or enable the mitigation for CVE-2017-5754 Variant 3/Meltdown
  1. Click the Log Activity tab.
  2. Before you run your search, select one of the following options to ensure you are not using cached search results.
    1. Select Search > Managed Search Results and delete the saved search result.
    2. Alter your search time frame by one minute or more.
  3. Compare the Duration field of the completed search the with the mitigation for CVE-2017-5754 (Variant 3/Meltdown) enabled. To view the duration for each appliance in the deployment, click More Details.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search