When the CF5000 has a high resource load it may show one of the following symptoms,
1. The eventlog has tcp regulation messages in it:
2011-12-21 20:44:13+03:00AST "TCP connection regulation last 300 sec: dropped 0, bypassed 3571" 0 0:78 tcp_reg.cpp:124
2. The eventlog has disk events such as the following:
2011-12-10 22:12:07+03:00AST "Warning, a write episode on disk 8 has stalled after 61 seconds. This is usually because the disk is overloaded. Last IO status was (0,0)." 0 48023:64 ced.cpp:1816
3. The eventlog has memory regulation events in it.
One possible issue is that the Cflow is deployed such that it is "open" to the internet. That is anyone on the internet can configure their browser to explicitly proxy to the "open" proxy. You can detect if this is the case by using telnet to connect to port 80 or port 8080 on the Cflow in question(from the internet):
telnet <ip address of cflow> 80
telnet <ip address of cflow> 8080
If telnet can connect to the cflow on either of these ports the proxy is open to the internet. This means anyone on the internet can connect to the proxy and consume its resources.
To prevent this from happening, there are two possible solutions:
1. Policy can be written to deny access to source subnets that are not in the client subnets.
2. The router/load balancer sending traffic to the proxy can be configured to only send traffic that is in the client subnets.
Solution 2 is the preferred solution, since it will consume few resources of the cflow.