cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Device performance - Sensor Throughput Utilization

Jump to solution

Hello everybody

Often in NSM i receive this system fault notification "Device performance - Sensor Throughput Utilization"

Is that suppose to mean that Sensor's Aggregate performance is 200 Mbps and is no longer capable to monitor traffic due to bulk of NetFlow?

Sensor's model M 1450

Thanks, kind regards.

1 Solution

Accepted Solutions
petermason
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: Device performance - Sensor Throughput Utilization

Jump to solution

Hi Benjamin,

I'm not sure that disabling the policy will have any impact, as my understanding of this error is that the volume of traffic reaching the sensor is too large for it to scan.

Do you allow the above type of traffic on your network? Are you sure you want to white list it?

Read chapter 23 - Firewall Policies of the IPS Administration guide and look at applying firewall rules Pre-Device and Stateless Scanning Exception to see if either of these options will help in your situation. If you have the capability try to test these option first.

If you expect the traffic on this network segment to continuously exceed the maximum capacity of the sensor you may just need to deploy a larger model. 

Peter

View solution in original post

6 Replies
petermason
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Device performance - Sensor Throughput Utilization

Jump to solution

Hi Benjamin,

This does not necessarily  mean that the sensor is dropping traffic, the fault message should tell you % utilization reached.

If it is at 100% then you are pushing the sensor to it's limit and it will not inspect traffic, if it's below 100% then it's just a warning.

You can configure the thresholds for alerting at  Devices > My Company > Common Device Settings > Performance Monitoring.

I see these errors on some of our devices and have been able to identify the cause as large batch jobs and backups being run off hours that use up all the network bandwidth.

Are you able to identify any cause or pattern like certain times of day that this occurs?

Peter

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Device performance - Sensor Throughput Utilization

Jump to solution

Hey Peter

After analyzing traffic for couple of days i saw that the NetFlow bulk is beyond 200 thats why i guess the Device performance - Sensor Throughput Utilization happens.

The top alerts in my NSM is P2P: Skype Logon Process Detected.

If i disable this policy does this change will reduce the amount of traffic that comes to Sensor, presuming that Sensor will drop this kind of "Attack"?

Thanks, Peter

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 7

Re: Device performance - Sensor Throughput Utilization

Jump to solution

Is there anybody to answer this question?, thanks

petermason
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: Device performance - Sensor Throughput Utilization

Jump to solution

Hi Benjamin,

I'm not sure that disabling the policy will have any impact, as my understanding of this error is that the volume of traffic reaching the sensor is too large for it to scan.

Do you allow the above type of traffic on your network? Are you sure you want to white list it?

Read chapter 23 - Firewall Policies of the IPS Administration guide and look at applying firewall rules Pre-Device and Stateless Scanning Exception to see if either of these options will help in your situation. If you have the capability try to test these option first.

If you expect the traffic on this network segment to continuously exceed the maximum capacity of the sensor you may just need to deploy a larger model. 

Peter

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Device performance - Sensor Throughput Utilization

Jump to solution

Hello Peter, how are you today ?

I want to make a rule that will decline this traffic based on this three policies:

P2P: Skype logon process detected (Inbound/Outbound)

P2P: Bittorrent  File Transfer Handshaking (Inbound/Outbound)

P2P: Bittorrent  Meta-Info Retrieving (Inbound/Outbound)

Is that possible ?

Does the Enterprise Network can use skype after deploying this rule ?.

thanks.

petermason
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: Device performance - Sensor Throughput Utilization

Jump to solution

Hi Benjamin,

I don't know if Skype will work after you block the logon process, I would assume not,  you can create a firewall rule to block or drop this traffic for a single IP address to test what happens.

Peter

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community