Network Latency for traffic sent through Inline EDR scanners with large number of Policy entries

book

Article ID: 205995

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

Users observe slowness in Browsing. Network administrators observe network latency between Proxy and Network Switch ( 500ms-800ms).

There is only Endpoint Detection and Response (EDR) network scanner appliance between these interfaces.

- Packet captures show delay of more than a second between time when ICMP PING arrives on one ethernet port on EDR appliance and time when ICMP PING is sent from bridged ethernet port of EDR appliance.
- When disabling scanning feature on UI, Settings> Appliances shows the scanner as Disabled. However status_check CLI command on scanner CLI shows that file_inspection process is still working. 

Cause

More than 16,000 policies (blacklist/whitelist or Allow Deny) are configured.

Environment

  • EDR appliance scanner 4.x, or
  • ATP appliance scanner 3.x

Resolution

The network scanners of Endpoint Detection and Response (EDR) appliance support up to 16,000 policies.

Please reduce number of Allow and Deny entries so that the total number of entries between the two is no more than 16,000.