During high traffic inspection time frames, the IPS/TPS will create log entries and send notifications to the SMS. These notifications take up valuable CPU cycles which should be used for traffic inspection. System notifications can be suspended automatically if the system is experiencing congestion. By default the IPS/TPS will go into "Performance Protection" mode when congestion exceeds 1% (default) of traffic in two, 5 second consecutive windows (10sec total). When the IPS device goes into "Performance Protection" you will see warning messages on the IPS logs similar to;
<WARN> [ HA] Performance Protection threshold exceeded (loss = 10.6%, threshold = 1.0%)
<WARN> [ HA] Disabling alerts for the next 600 seconds. Policy is still enforced
<WARN> [ HA] Exiting Performance Protection mode. Alert logging will resume (137 alerts not logged)
The following steps can be taken to minimize "Performance Protection"
- Use of Flow Management filters
- Enable Best Effort Mode (N-Platform)
- Disable poorly performing filters that send large amounts of traffic for deep inspection, but do not trigger as "Successful".
- Use of Traffic Management Rules to allow trusted traffic to bypass inspection
- Configure "Logging Mode"to prevent traffic-related event notifications (such as those generated when a triggered filter is configured with a Block + Notify or Permit + Notify action set) from causing network congestion.