Vsys CPU Limit Overview

By default, virtual systems within a single security system share the same CPU resources. It is possible for one virtual system (vsys) to consume excess CPU resources at the expense of other virtual systems.

For example, if one virtual system, within a security system that houses 20 virtual systems, experiences a DOS attack that consumes all of the CPU resources, the CPU is unable to process traffic for any of the other 19 virtual systems. In essence, all 20 virtual systems experience the DOS attack. CPU overutilization protection, also known as the CPU limit feature, is intended to protect against this.

Overutilization protection allows you to configure the security device for “ fair use,” or fair mode, as opposed to “ shared use,” or shared mode. To enable a fairer distribution of processing resources, you can assign a flow CPU utilization threshold to trigger a transition to fair mode, and you can choose a method for transition back to shared mode. By default, the security device operates in shared mode.

To enforce fair use, you assign a CPU weight to each vsys that you configure. ScreenOS uses these weights, relative to the weights of all virtual systems in the security device to assign time quotas proportional to those weights. ScreenOS then enforces the time quotas over one second intervals. This means that as long as a vsys does not exceed its time quota over that one second period and the firewall is not too heavily loaded, no packets for that vsys should be dropped.

Note: The CPU overutilization protection feature is independent of the session limits imposed by a vsys profile.

As system administrator, you determine how much traffic passes through a given vsys in fair mode by setting its CPU weight in relation to that of other virtual systems.

You must identify any anticipated burstiness while the security system is in fair mode, and then choose the CPU weight for each vsys appropriately so that bursts pass through the security system. We recommend verifying that adverse packet dropping does not occur with the chosen weights prior to deployment.With this feature, you can also ensure a fixed CPU weight for the root vsys.

For more information on setting and viewing CPU limits, see Concepts & Examples ScreenOS Reference Guide.

Related Documentation