This does not necessarily mean that the sensor is dropping traffic, the fault message should tell you % utilization reached.
If it is at 100% then you are pushing the sensor to it's limit and it will not inspect traffic, if it's below 100% then it's just a warning.
You can configure the thresholds for alerting at Devices > My Company > Common Device Settings > Performance Monitoring.
I see these errors on some of our devices and have been able to identify the cause as large batch jobs and backups being run off hours that use up all the network bandwidth.
Are you able to identify any cause or pattern like certain times of day that this occurs?
After analyzing traffic for couple of days i saw that the NetFlow bulk is beyond 200 thats why i guess the Device performance - Sensor Throughput Utilization happens.
The top alerts in my NSM is P2P: Skype Logon Process Detected.
If i disable this policy does this change will reduce the amount of traffic that comes to Sensor, presuming that Sensor will drop this kind of "Attack"?
Is there anybody to answer this question?, thanks
I'm not sure that disabling the policy will have any impact, as my understanding of this error is that the volume of traffic reaching the sensor is too large for it to scan.
Do you allow the above type of traffic on your network? Are you sure you want to white list it?
Read chapter 23 - Firewall Policies of the IPS Administration guide and look at applying firewall rules Pre-Device and Stateless Scanning Exception to see if either of these options will help in your situation. If you have the capability try to test these option first.
If you expect the traffic on this network segment to continuously exceed the maximum capacity of the sensor you may just need to deploy a larger model.
Hello Peter, how are you today ?
I want to make a rule that will decline this traffic based on this three policies:
P2P: Skype logon process detected (Inbound/Outbound)
P2P: Bittorrent File Transfer Handshaking (Inbound/Outbound)
P2P: Bittorrent Meta-Info Retrieving (Inbound/Outbound)
Is that possible ?
Does the Enterprise Network can use skype after deploying this rule ?.
I don't know if Skype will work after you block the logon process, I would assume not, you can create a firewall rule to block or drop this traffic for a single IP address to test what happens.