Vsys Cpu Limit Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Related
Documentation

Vsys CPU Limit Overview

Copyright © 2010, Juniper Networks, Inc.
Vsys DHCP Enhancement Overview on page 355
Vsys Limitations Overview on page 356
Vsys Clusters Overview on page 378
Vsys Session Limit Overview on page 358
Vsys CPU Limit Overview on page 359
Example: Configuring Vsys Resource Limits (NSM Procedure) on page 357
By default, virtual systems within a single security system share the same CPU resources.
It is possible for one virtual system (vsys) to consume excess CPU resources at the
expense of other virtual systems.
For example, if one virtual system, within a security system that houses 20 virtual systems,
experiences a DOS attack that consumes all of the CPU resources, the CPU is unable to
process traffic for any of the other 19 virtual systems. In essence, all 20 virtual systems
experience the DOS attack. CPU overutilization protection, also known as the CPU limit
feature, is intended to protect against this.
Overutilization protection allows you to configure the security device for " fair use," or
fair mode, as opposed to " shared use," or shared mode. To enable a fairer distribution
of processing resources, you can assign a flow CPU utilization threshold to trigger a
transition to fair mode, and you can choose a method for transition back to shared mode.
By default, the security device operates in shared mode.
To enforce fair use, you assign a CPU weight to each vsys that you configure. ScreenOS
uses these weights, relative to the weights of all virtual systems in the security device to
assign time quotas proportional to those weights. ScreenOS then enforces the time
quotas over one second intervals. This means that as long as a vsys does not exceed its
time quota over that one second period and the firewall is not too heavily loaded, no
packets for that vsys should be dropped.
NOTE: The CPU overutilization protection feature is independent of the
session limits imposed by a vsys profile.
As system administrator, you determine how much traffic passes through a given vsys
in fair mode by setting its CPU weight in relation to that of other virtual systems.
You must identify any anticipated burstiness while the security system is in fair mode,
and then choose the CPU weight for each vsys appropriately so that bursts pass through
the security system. We recommend verifying that adverse packet dropping does not
occur with the chosen weights prior to deployment.With this feature, you can also ensure
a fixed CPU weight for the root vsys.
Chapter 11: Virtual Systems
359