This is a little older information - but, still would hold true --->
Currently, on the E-mail Security Appliance, the maximum scan size for IPAS is limited to 128K by default (the original default was 256K so many older appliance might have this set as the limit). Messages larger than this limit are not scanned by IPAS. Recently, Cisco IronPort did some extensive performance and efficacy testing on an average message load to determine the impact of increase scanning size on the E-mail Security Appliance.
The tests show that when raising the maximum scan size for IPAS the increase in efficacy is significant: a 256K maximum scan size yields a 24% decrease in missed spam, and a 512K maximum scan size yields a decrease of 35% in missed spam. However, there is a potential performance impact of 24% when going from a maximum scan size of 128K to 512K (depending on the type of hardware platform). The impact of going from a maximum scan size of 128K to 256K is 12%. See summary below:
128K -> 256K scan size limit:
12% possible performance reduction, 24% reduction in missed spam
128K -> 512K scan size limit:
24% possible performance reduction, 35% reduction in missed spam
Below table show the performance results of a medium mailbox with a 50:50 ratio of spam and ham. MPS is messages per second.
| 128K (Baseline) MPS | 256K/ MPS | % diff with baseline | 512K/ MPS | % diff with baseline | 768K/ MPS | % diff with baseline | 1M/ MPS | % diff with baseline | C100 | 3.45 | 3.1 | 10.14% | 2.93 | 15.07% | 2.82 | 18.26% | 2.75 | 20.29% | C150 | 5.25 | 4.72 | 10.10% | 4.4 | 16.19% | 4.4 | 16.19% | 4.27 | 18.67% | C160 | 12.5 | 11.1 | 11.20% | 10.4 | 16.80% | 9.99 | 20.08% | 9.79 | 21.68% | C300 | 4.42 | 4.08 | 7.69% | 3.87 | 12.44% | 3.74 | 15.38% | 3.67 | 16.97% | C350 | 11.8 | 10.5 | 11.02% | 9.94 | 15.76% | 9.55 | 19.07% | 9.39 | 20.42% | C360 | 30 | 27 | 10.00% | 25 | 16.67% | 24 | 20.00% | 24 | 20.00% | C370 | 29 | 26 | 10.34% | 23 | 20.69% | 22 | 24.14% | 22 | 24.14% | C600 | 8.8 | 7.86 | 10.68% | 7.46 | 15.23% | 7.17 | 18.52% | 7.06 | 19.77% | C650 | 25 | 22 | 12.00% | 20 | 20.00% | 19 | 24.00% | 19 | 24.00% | C660 | 43 | 38 | 11.63% | 35 | 18.60% | 33 | 23.26% | 33 | 23.26% | X1000 | 11.3 | 10.1 | 10.62% | 9.61 | 14.96% | 9.27 | 17.96% | 9.12 | 19.29% | X1050 | 45 | 40 | 11.11% | 37 | 17.78% | 35 | 22.22% | 35 | 22.22% | X1060 | 51 | 45 | 11.76% | 41 | 19.61% | 40 | 21.57% | 39 | 23.53% | X1070 | 59 | 52 | 11.86% | 48 | 18.64% | 46 | 22.03% | 45 | 23.73% |
|
Recommendation and Performance measure:
The Cisco IronPort Security Applications Group recommends that all customers review their current stability and performance (see below for some tips on how to measure this) to determine if they can safely raise the maximum scan size for messages sent to IPAS (IronPort Anti-Spam Engine). It is also recommend that you take a phased approach to the increase. If maximum scan size for IPAS on your E-mail Security Appliance is currently set to 128K (131072), then first raise the maximum scan size to 256K (262144) and re-evaluate your stability and performance. If everything is stable then increase the scan size limit to 512K (524288).
Performance of an E-mail Security Appliance depends on the set of features enabled on the appliance such as anti-spam, anti-virus, message filters and content filters along with the load of the appliance based on the no. of msgs/sec scanned and maximum size of a message allowed.
The most effective way to monitor system capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation Mode. The System Capacity page under Monitor > System Capacity provides a detailed representation of the system load, including messages in the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size, and number), overall CPU usage, CPU usage by function, and memory page swapping information.
The System Capacity - system load report shows the overall CPU usage on your IronPort appliance. AsyncOS is optimized to use idle CPU resources to improve message throughput. High CPU usage may not indicate a system capacity problem. If the high CPU usage is coupled with consistent, high-volume memory page swapping, you may have a capacity problem.
This page also shows a graph that displays the amount of CPU used by different functions, including mail processing, spam and virus engines, reporting, and quarantines. The CPU-by-function graph is a good indicator of which areas of the product use the most resources on your system. If you need to optimize your appliance, this graph can help you determine which functions may need to be tuned or disabled. The memory page swapping graph shows how frequently the system must page to disk.
If stability and performance does drop below acceptable limits, you might try a smaller increase. Any amount greater than the current setting will help efficacy and reduce missed spam. For instance, if 512K proves to be too much of a burden on your E-mail Security Appliance you might try a value of 384K (393216).
Hope this helps!
-Robert
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)
