Configuring Load-Time Parameters (NSM Procedure)

Load-time parameters include options for tuning IDP performance. In general, you modify these settings only if you encounter performance issues. These options control the security module functions when it first powers on.

To configure load-time parameters:

  1. In NSM Device Manager, double-click the IDP device for which you want to configure load-time parameters. The device configuration editor appears.
  2. Click Sensor Settings.
  3. Click the Load Time Parameters tab.
  4. Configure load-time parameters using Table 51.
  5. Click Apply.
  6. Click OK.

    Table 51: IDP Device Configuration: Load Time Parameters

    Setting

    Description

    Flow table size (requires sensor restart)

    For improved IDP performance, set the flow table size to limit the size of the connection table. This setting should reflect the maximum number of concurrent flows you expect to have at any one time. A TCP connection has about two flows per session, and a UDP connection has about three flows per session. The default setting is 100,000 concurrent flows. If you change this value, you have to restart the IDP device.

    Enable log suppression

    Log suppression reduces the number of logs displayed in the Log Viewer by displaying a single record for multiple occurrences of the same event.

    Note: If the reporting interval is set too high, log suppression can negatively impact IDP performance.

    Include destination IP’s while performing log suppression

    When log suppression is enabled, multiple occurrences of events with the same source IP, service, and matching attack object generate a single log record with a count of occurrences. If you enable this option, log suppression combines log records for events with the same destination IP.

    Number of log occurrences after which log suppression begins

    This number represents the number of identical log records received before suppression starts. The default is 1 (meaning log suppression begins with the first redundancy).

    Maximum number of logs that log suppression can operate on

    When log suppression is enabled, IDP must cache log records so that it can identify when multiple occurrences of the same event occur. This number represents the number of log records in the IDP management server that IDP tracks for log suppression. The default is 16,384 log records.

    Time (seconds) after which suppressed logs will be reported

    When log suppression is enabled, the IDP device maintains a count of multiple occurrences of the same event. This number represents the number of seconds that pass before IDP reports a single log entry containing the count of occurrences. The default is 10 seconds.

    Enable application identification

    The application identification feature is used to detect the session application regardless of port. We recommend you disable this feature only when troubleshooting.

    Maximum number of Application Identification sessions

    Specifies the maximum number of sessions where application identification is in use. The default is 100,000. Valid values are 0 - 200,000. We recommend you tune this setting only if you encounter issues.

    Enable policy sharing

    This option allows two CPUs on a security module to share a policy. This enables the policy with all attacks to withhold maximum memory. Aslso the memory usage increases while the attacks database grows.

Related Documentation