Cisco Cisco FirePOWER Appliance 8360
24-8
FireSIGHT System User Guide
Chapter 24 Using Performance Settings in an Intrusion Policy
Understanding Rule Latency Thresholding
Many factors affect measurements of system performance, such as CPU speed, data rate, packet size, and
protocol type. For this reason, Cisco recommends that, if you enable rule latency thresholding, you use
the threshold settings in the following table until your own calculations provide you with settings
tailored to your particular network environment.
protocol type. For this reason, Cisco recommends that, if you enable rule latency thresholding, you use
the threshold settings in the following table until your own calculations provide you with settings
tailored to your particular network environment.
Determine the following when calculating your settings:
•
average packets per second
•
average microseconds per packet
Multiply the average microseconds per packet for your network by a significant safety factor to ensure
that you do not unnecessarily suspend rules.
that you do not unnecessarily suspend rules.
Configuring Rule Latency Thresholding
License:
Protection
You can enable or disable rule latency thresholding, and modify the rule latency threshold, the
suspension time for suspended rules, and the number of consecutive threshold violations that must occur
before suspending rules.
suspension time for suspended rules, and the number of consecutive threshold violations that must occur
before suspending rules.
To configure rule latency thresholding:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Consecutive Threshold Violations
Before Suspending Rule
Before Suspending Rule
Specifies the consecutive number of times rules can take longer than the time set for
Threshold
to inspect packets before rules are suspended.
Suspension Time
Specifies the number of seconds to suspend a group of rules.
Table 24-3
Rule Latency Thresholding Options (continued)
Option
Description
Table 24-4
Minimum Rule Latency Threshold Settings
For this data rate...
Set threshold microseconds to at least...
1 Gbps
500
100 Mbps
1250
5 Mbps
5000