load question

[technick22]

Does using the web intellligence engine cause alot of load on the firewall?

I would like to start using it, but do not want to overload my appliances.

Thanks
Nick

[RayPesek]

That all depends on your hardware and how much bandwidth you're pushing through it that is subject to inspection. What is your hardware and total bandwidth? If you have almost any hardware built in the last five years, you'll probably be OK.

Ray

[cciesec2006]

I load tested the Nokia IP560 (2GB RAM) running IPSO 4.1 build 19
with NGx R61 & HFA_01 back in December 2006. The load testing
equipment I used is Spirent Web Avalanche/Reflector.

With SmartDefense/Web Intelligence turned OFF, I was able to
push about 700Mbps through the box.

With SmartDefense/Web Intelligence turned ON, I was able to push
about 60Mbps. Not only that, the box freezed and had to require
a mannual turned OFF/ON of the power switch.

[RayPesek]

So someone with a DS3 would be OK?

Check your ApacheFormatString protections. There should be two sets, one with an underscore near the end and one set without. If you have the ones WITHOUT the underscore enabled, disable them and enable the ones with the underscore instead. This ia a known issue and will cause freezing.

I haven't figured out why they can't just delete the non-underscore ones, though.

Ray

[cciesec2006]

Ray,

Again, it depends. However, with a DS3 connections, that should be
good for most environments.

One disclaimer: I could have destroyed the IP560 with 64k bytes packets
and lot of http/https connections from the Spirent Avlanche/Reflector.
Had I run the test to the fullest, I would think the Nokia IP560 would
freeze at 30Mbps and lot and lot of 64k connections. That would
criple the Nokia IP560; but again, it doesn't reflect the real environment,
unless you're under DoS or DDoS