IDP Performance and Capacity Tuning
This topic provides an overview on performance and capacity tuning for an Intrusion Detection and Prevention (IDP) session.
For more information, see the following topics:
Performance and Capacity Tuning for IDP Overview
This topic provides an overview on performance and capacity tuning for an Intrusion Detection and Prevention (IDP) session.
If you are deploying IDP policies, you can configure the device to increase IDP session capacity. By using the provided commands to change the way the system allocates resources, you can achieve higher IDP session capacity.
By using the maximize-idp-sessions command, you can increase the IDP session capacity. In this mode, by default, the device assigns a greater weight value to firewall functions. Based on your IDP policy, you can shift the weight to IDP functions to maximize IDP performance. By shifting weight, you are increasing capacity and allocating more processing power for the given service.
You should not configure the device to increase IDP session capacity if you are not using an IDP policy.
The device ships with an implicit default session capacity setting. This default value adds weight to firewall sessions. You can manually override the default by adding the maximize-idp-sessions setting to your configuration. When you do this, in addition to IDP session scaling, you can choose to assign weight values of equal, firewall, or IDP to firewall and IDP functions. Typically, when you only include IDP-recommended attacks or client-to-server attacks in your IDP policy, IDP functions consume less CPU resources, for this reason, you would select weight firewall to maximize device performance. Alternatively, if you add server-to-client attacks to your IDP policy, IDP functions consume higher CPU resources. For this reason, you would select weight IDP to maximize performance. Essentially, you will need to configure the weight based on the desired IDP policy and performance. You do this by examining the CPU resource utilization on the packet forwarding engine by using the show security monitoring fpc number command.
See Also
Configuring Session Capacity for IDP (CLI Procedure)
The configuration instructions in this topic describe how modify session capacity for IDP policies.
You do this by adding the maximize-idp-sessions command and then adding the weight option to specify IDP sessions.
The weight option depends on the maximize-idp-sessions command being set.
To turn maximize-idp-sessions settings off, remove the maximize-idp-sessions configuration.
You must reboot the device for any maximize-idp-sessions setting changes to take effect.