Cisco Cisco Firepower Management Center 4000

The trade-off for the performance and latency benefits derived from latency thresholding is that 
uninspected packets could contain attacks. However, rule latency thresholding gives you a tool you can 
use to balance security with connectivity.

When you enable rule latency thresholding, a timer measures the processing time each time a packet is 
processed against a group of rules. Any time the rule processing time exceeds a specified rule latency 
threshold, the system increments a counter. If the number of consecutive threshold violations reaches a 
specified number, the system takes the following actions:

suspends the rules for the specified period

triggers an event indicating the rules have been suspended

re-enables the rules when the suspension expires

triggers an event indicating the rules have been re-enabled

The system zeroes the counter when the group of rules has been suspended, or when rule violations are 
not consecutive. Permitting some consecutive violations before suspending rules lets you ignore 
occasional rule violations that might have negligible impact on performance and focus instead on the 
more significant impact of rules that repeatedly exceed the rule latency threshold.

The following example shows five consecutive rule processing times that do not result in rule 
suspension.

In the above example, the time required to process each of the first three packets violates the rule latency 
threshold of 1000 microseconds, and the violations counter increments with each violation. Processing 
of the fourth packet does not violate the threshold, and the violations counter resets to zero. The fifth 
packet violates the threshold and the violations counter restarts at one.

The following example shows five consecutive rule processing times that do result in rule suspension.