6 Replies Latest reply on Mar 16, 2016 4:46 AM by peter.mason

    Device performance - Sensor Throughput Utilization

    unrival

      Hello everybody

      Often in NSM i receive this system fault notification "Device performance - Sensor Throughput Utilization"

      Is that suppose to mean that Sensor's Aggregate performance is 200 Mbps and is no longer capable to monitor traffic due to bulk of NetFlow?

      Sensor's model M 1450

      Thanks, kind regards.

        • 1. Re: Device performance - Sensor Throughput Utilization
          peter.mason

          Hi Benjamin,

           

          This does not necessarily  mean that the sensor is dropping traffic, the fault message should tell you % utilization reached.

           

          If it is at 100% then you are pushing the sensor to it's limit and it will not inspect traffic, if it's below 100% then it's just a warning.

           

          You can configure the thresholds for alerting at  Devices > My Company > Common Device Settings > Performance Monitoring.

           

          I see these errors on some of our devices and have been able to identify the cause as large batch jobs and backups being run off hours that use up all the network bandwidth.

           

          Are you able to identify any cause or pattern like certain times of day that this occurs?

           

          Peter

          • 2. Re: Device performance - Sensor Throughput Utilization
            unrival

            Hey Peter

            After analyzing traffic for couple of days i saw that the NetFlow bulk is beyond 200 thats why i guess the Device performance - Sensor Throughput Utilization happens.

            The top alerts in my NSM is P2P: Skype Logon Process Detected.

            If i disable this policy does this change will reduce the amount of traffic that comes to Sensor, presuming that Sensor will drop this kind of "Attack"?

            Thanks, Peter

            • 3. Re: Device performance - Sensor Throughput Utilization
              unrival

              Is there anybody to answer this question?, thanks

              • 4. Re: Device performance - Sensor Throughput Utilization
                peter.mason

                Hi Benjamin,

                 

                I'm not sure that disabling the policy will have any impact, as my understanding of this error is that the volume of traffic reaching the sensor is too large for it to scan.

                 

                Do you allow the above type of traffic on your network? Are you sure you want to white list it?

                 

                Read chapter 23 - Firewall Policies of the IPS Administration guide and look at applying firewall rules Pre-Device and Stateless Scanning Exception to see if either of these options will help in your situation. If you have the capability try to test these option first.

                 

                If you expect the traffic on this network segment to continuously exceed the maximum capacity of the sensor you may just need to deploy a larger model. 

                 

                Peter

                • 5. Re: Device performance - Sensor Throughput Utilization
                  unrival

                  Hello Peter, how are you today ?

                  I want to make a rule that will decline this traffic based on this three policies:

                  P2P: Skype logon process detected (Inbound/Outbound)

                  P2P: Bittorrent  File Transfer Handshaking (Inbound/Outbound)

                  P2P: Bittorrent  Meta-Info Retrieving (Inbound/Outbound)

                   

                  Is that possible ?

                  Does the Enterprise Network can use skype after deploying this rule ?.

                  thanks.

                  • 6. Re: Device performance - Sensor Throughput Utilization
                    peter.mason

                    Hi Benjamin,

                     

                    I don't know if Skype will work after you block the logon process, I would assume not,  you can create a firewall rule to block or drop this traffic for a single IP address to test what happens.

                     

                    Peter