Performance impact of bi-directional TLS inspection in Deep Security

Product / Version includes:

Deep Security20.0

Last updated: 2024/06/13

Solution ID: KA-0016761

Category: Troubleshoot

Summary

Customer who uses Intrusion Prevention module (IPS) with Advanced TLS Traffic Inspection in the following environments might have a performance impact on network latency and memory usage:

Reverse proxy
Container environment

Root Cause

To inspect TLS traffic, the network engine waits for session keys for 200ms at most [1]. The latency impact increased by inspecting bi-directional traffic. Similarly to memory usage, the TLS inspection between containers will consume higher memory usage.

Resolution

Bi-directional TLS inspection is usually for different attack surfaces. But it's not necessary for a reverse proxy. If an unacceptable application latency or memory usage happens, here is some advice:

Remove one side IPS rules of specific ports if possible
Disable one side of Advanced TLS Traffic Inspection [2]

[1] 200ms is the usual minimum for TCP retransmission timeout (RTO)
[2] The separated two toggles of Advanced TLS Traffic Inspection have been available since Deep Security Agent 20.0.1-12510. For the on-premise users, Deep Security Manager 20.0.913 is also required.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Performance impact of bi-directional TLS inspection in Deep Security

Root Cause

Resolution

Performance impact of bi-directional TLS inspection in Deep Security

Product / Version includes:

Summary

Root Cause

Resolution