Cisco Cisco Firepower Management Center 4000
24-2
FireSIGHT System User Guide
Chapter 24 Using Performance Settings in an Intrusion Policy
Understanding Packet Latency Thresholding
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
Event Queue Configuration
under Performance Settings is
enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The Event Queue Configuration page appears.
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration.
See
See
for more information.
Step 5
You can modify the following options:
•
Type a value for the maximum number of events to allow in queue in the
Maximum Queued Events
field.
•
To inspect packets which will be rebuilt into larger streams of data before and after stream
reassembly, select
reassembly, select
Disable content checks that will be inserted through the stream reassembly process
.
Inspection before and after reassembly requires more processing overhead and may decrease
performance.
performance.
•
To disable inspection of packets which will be rebuilt into larger streams of data before and after
stream reassembly, clear
stream reassembly, clear
Disable content checks that will be inserted through the stream reassembly
process
. Disabling inspection decreases the processing overhead for inspection of stream inserts and
may boost performance.
Step 6
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Understanding Packet Latency Thresholding
License:
Protection
You can balance security with the need to maintain latency at an acceptable level by enabling packet
latency thresholding. Packet latency thresholding measures the total elapsed time taken to process a
packet by applicable decoders, preprocessors, and rules, and ceases inspection of the packet if the
processing time exceeds a configurable threshold.
latency thresholding. Packet latency thresholding measures the total elapsed time taken to process a
packet by applicable decoders, preprocessors, and rules, and ceases inspection of the packet if the
processing time exceeds a configurable threshold.
Packet latency thresholding measures elapsed time, not just processing time, in order to more accurately
reflect the actual time required for the rule to process a packet. However, latency thresholding is a
software-based latency implementation that does not enforce strict timing.
reflect the actual time required for the rule to process a packet. However, latency thresholding is a
software-based latency implementation that does not enforce strict timing.
The trade-off for the performance and latency benefits derived from latency thresholding is that
uninspected packets could contain attacks. However, packet latency thresholding gives you a tool you
can use to balance security with connectivity.
uninspected packets could contain attacks. However, packet latency thresholding gives you a tool you
can use to balance security with connectivity.
When you enable packet latency thresholding, a timer starts for each packet when decoder processing
begins. Timing continues either until all processing ends for the packet or until the processing time
exceeds the threshold at a timing test point.
begins. Timing continues either until all processing ends for the packet or until the processing time
exceeds the threshold at a timing test point.