0 Replies Latest reply on Sep 6, 2017 2:20 PM by jebeling

    Load Aware Web Gateway Anti-malware Scanning and Blocking Saves Resources and Money

    jebeling

      If you are experienced with enabling anti-malware scanning on MWG whether signature based, or the emulation based gateway anti-malware, you know that the anti-malware scanning significantly reduces the overall req/sec capacity of the appliances (physical or virtual). This makes sense because to do thorough anti-malware screening takes a lot of cycles. An appliance with SSL scanning on that is not scanning for anti-malware can typically handle 3x or more of the number of requests that it can handle when SSL scanning is on and all content that can be scanned is being scanned. While best practice is to have SSL scanning on for all but a few selected trusted categories or sites and all downloads that can be scanned, are scanned with Gateway Anti-Malware, this can result in assigning many more dedicated resources to your web gateways just to handle redundancy and short term peaks. These resources will be under-utilized at all other times.

       

      The level of resources (appliances and VMs) required to handle peaks can be dramatically reduced by monitoring the CPU load and either offloading or bursting anti-malware to the Web Gateway Cloud Service (requires WPS, SWE, or CSS licenses for all users) as described here: Load Aware Burst to WGCS Saves Resources and Money. Or by simply blocking or bypassing anti-malware for select sites as described below.

       

      If you don't have a license for Web Gateway Cloud Service and are willing to slightly diminish your security posture and or block non-critical sites in times of peak load, you can dramatically reduce the resources you need to purchase and maintain. The trick is to intelligently use the load awareness feature of the MWG. When CPU loading is high, you can temporarily reduce the load by blocking non-critical sites in the request cycle and/or not scanning trusted sites in business critical categories in the response and embedded cycles. CPULoad is a statistics counter value that can be used in a rule criteria. An example ruleset is attached (recommended placement is after URL Filtering but before any DLP or Anti-malware rulesets) and looks like this(note you do not enable this ruleset in the cloud):

       

      Rule Sets
      Load Aware Block or Bypass Antimalware

      [This ruleset blocks non-critical sites and bypasses anti-malware for trusted sites when a high load condition exists. High load condition is when Current CPU Load is higher than User-Defined.CPULoadThreshold. The user defined threshold defaults to 80, but can be set as desired in the User Defined Properties area of the Rulesets.]

      [✘] Disabled [✘] Disabled in Cloud
      Applies to: [✔] Requests [✔] Responses [✔] Embedded Objects
      1: Statistics.Counter.GetCurrent("CPULoad")<Default> greater than or equals User-Defined.CPULoadThreshold
      2: OR User-Defined.HighLoadRequest equals true
      EnabledRuleActionEventsComments
      [✔] EnabledCapture Load Value and High Load as UDPs for Entire Transaction
      1: Cycle.Name equals "Request"
      ContinueSet User-Defined.HighLoadRequest = true
      Set User-Defined.CPULoad = Statistics.Counter.GetCurrent("CPULoad")<Default>
      This would also be a good place to add events to syslog or send an email to notify an
      administrator of the high load condition.
      [✔] EnabledHigh Load Block
      1: URL.ReputationString<Default> does not equal "Minimal Risk"
      2: OR URL.Categories<Default> at least one in list High Load Blocked Categories
      3: OR URL.Categories<Default> equals Empty Category List°
      Block<High Load URL Blocked>Set User-Defined.CPU-Load-Logline =
           "Load URL Blocked (CPU Load: " +
           Number.ToString(User-Defined.CPULoad) +
           ") " +
           URL.ReputationString<Default> +
           " " +
           List.OfCategory.ToString(URL.Categories<Default>) +
           " " +
           URL +
           " " +
           Authentication.UserName +
           " " +
           IP.ToString(Client.IP)
      FileSystemLogging.WriteLogEntry(User-Defined.CPU-Load-Logline)<CPU Load Bypass>
      Block select content when load is high.
      [✔] EnabledHigh Load Anti-Malware Bypass
      1: URL.ReputationString<Default> equals "Minimal Risk"
      2: AND URL.Categories<Default> at least one in list Categories Allowed for Anti-malware Bypass
      3: AND URL.Categories<Default> none in list Categories Not Allowed for Antimalware Bypass°
      Stop CycleSet User-Defined.CPU-Load-Logline =
           "Load Bypass Antimalware (CPU Load: " +
           Number.ToString(User-Defined.CPULoad) +
           ") " +
           URL.ReputationString<Default> +
           " " +
           List.OfCategory.ToString(URL.Categories<Default>) +
           " " +
           URL +
           " " +
           Authentication.UserName +
           " " +
           IP.ToString(Client.IP)
      FileSystemLogging.WriteLogEntry(User-Defined.CPU-Load-Logline)<CPU Load Bypass>
      Bypass Anti-malware for select content when load is high.