Websense hotfix #59 significantly improves the performance of Network Agent

book

Article ID: 168114

calendar_today

Updated On:

Products

XOS

Issue/Introduction

* For Internal and PARTNER/CASP Distribution OnlyUnder a load between 6,000 and 9,000 packets per second, Network Agent on a single VAP showed a higher-than-expected miss block rate with CPU usage at approximately 30% during peak hours. This will result in lower packet-per-second filtering and analysis by the Websense Web Security Suite. During this high-load scenario content filtering opportunities could be missed resulting in some blocked content getting through. 

Cause

The released version of Network Agent with Websense Web Security Suite 6.3.2 does not handle high packet rates efficiently .

Resolution

Apply Websense hotfix #59 entitled: "Unexpectedly high number of Network Agent dropped packets on Linux", to each VAP in a Websense Web Security Suite VAP group. See the readme.txt in the hotfix for instructions. With this hotfix, Network Agent on a VAP can handle 13,000 packets per second with a miss block rate of less than 1%. The hotfix can be downloaded from the Websense support site: http://www.mywebsense.com.

Workaround

XOS IP flow rules can be crafted to send only monitored ports and protocols to the VAP group, such as http, https, or ftp. This will reduce the amount of excess traffic being analyzed by Network Agent.

For example, to send only TCP port 80 (HTTP) traffic to the VAP group use the following ip-flow-rule:

ip-flow-rule http_only

    action load-balance

    destination-port 80 80

    activate

See the Configuring Flow Provisioning chapter in the XOS Configuration Guide for more details.