Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
5
Helpful
1
Replies

IPS CPU Usage

Go to solution
Bethuelle
Level 1
Level 1

‎08-05-2011 04:04 AM - edited ‎03-10-2019 05:26 AM

Hi,

Does the number of enabled signatures have an impact on the CPU usage?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dustin Ralich
Cisco Employee
Cisco Employee

‎08-09-2011 05:35 AM 

Does the number of enabled signatures have an impact on the CPU usage?

Short answer: Yes. Long answer: It depends on signatures' status combination, configured Action(s), frequency of being matched, etc.

  • Enabled and Active: Signature consumes both CPU and memory, if matched, configured Action(s) will be taken. Overall, this status has the most potential for resource usage.

  • Disabled and Active: Signature consumes both CPU and memory, if matched, configured Action(s) will NOT be taken. This status technically will result in less resource usage (variable) since Actions will not have to be generated/taken.

  • Disabled and Retired: Signature does not consume CPU or memory, and will not be used in inspection towards matching. This status will of course result in the least resource usage.

Overall, if you are simply testing/troubleshooting, you can Enable/Disable a signature, but if you plan on leaving it Disabled long-term, you should also Retire it to free up resources and improve sensor performance. The act of Retiring (or un-Retiring) a signature is itself a resource-intensive task for the sensor as its match/state tables have to be re-compiled, but once that completes the above status notes apply.

View solution in original post

1 Reply 1

Go to solution
Dustin Ralich
Cisco Employee
Cisco Employee

‎08-09-2011 05:35 AM 

Does the number of enabled signatures have an impact on the CPU usage?

Short answer: Yes. Long answer: It depends on signatures' status combination, configured Action(s), frequency of being matched, etc.

  • Enabled and Active: Signature consumes both CPU and memory, if matched, configured Action(s) will be taken. Overall, this status has the most potential for resource usage.

  • Disabled and Active: Signature consumes both CPU and memory, if matched, configured Action(s) will NOT be taken. This status technically will result in less resource usage (variable) since Actions will not have to be generated/taken.

  • Disabled and Retired: Signature does not consume CPU or memory, and will not be used in inspection towards matching. This status will of course result in the least resource usage.

Overall, if you are simply testing/troubleshooting, you can Enable/Disable a signature, but if you plan on leaving it Disabled long-term, you should also Retire it to free up resources and improve sensor performance. The act of Retiring (or un-Retiring) a signature is itself a resource-intensive task for the sensor as its match/state tables have to be re-compiled, but once that completes the above status notes apply.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card