Performance tips for intrusion prevention
To improve system resources utilization on Deep Security Agent, optimize certain performance-related settings.
For an overview of the intrusion prevention module, see Block exploit attempts using Intrusion Prevention.
|System resource||Settings that impact performance|
|Network usage or throughput||
When an agent is assigned a large number of intrusion prevention rules, the size of the configuration package can exceed the maximum allowed size. When the allowed size is exceeded, the status of the agent changes to "Agent configuration package too large" and the event message "Configuration package too large" appears.
There is a configuration limit of 20 MB in Windows 32-bit platform because it has smaller kernel memory available. For other platforms, the limit is 32 MB.
For performance reasons, you should have less than 350 intrusion prevention rules assigned to a computer. To minimize the number of required rules, ensure all available patches are applied to the computer operation system and any third-party software that is installed.
- Apply available patches to the computer operating system.
- Apply available patches to any third-party software that is installed.
- Apply only the intrusion prevention rules that a recommendation scan recommends. Remove any rules from the computer or the assigned policy that are recommended for unassignment. (See Manage and run recommendation scans.)
- If you are managing intrusion prevention at the policy level and the configuration package is still too large, configure intrusion prevention in one of the following ways:
- Make the policy more granular, so that all servers in that policy have the same operating system and applications.
- Manage intrusion prevention at the server level so that rules are added and removed automatically for the computer.
Use the following procedure to manage intrusion prevention at the server level.
- Open the editor for the policy that is assigned to the computer.
- Click Intrusion Prevention > General.
- In the Recommendations section, set Automatically implement Intrusion Prevention Recommendations (when possible) to Yes.
- Remove any intrusion prevention rules from the policy.
- Run a recommendation scan on the computer.