Points to note when using 15.1X49-D105.1ΒΆ

It has been confirmed that on vSRX version above which functions with the Firewall (vSRX) menu, the CPU load tends to become high when the following functions which are controlled by the control plane(*1) are executed. Verification by Service Provider confirmed that even when the following functions cause the control plane to increase the CPU usage rate, communications (user traffic) which are processed by the CPU of the data plane(*2) are not affected, and the verification also shows to which level the CPU values increase. For details, check with the following. Also, when using the following functions, the customer is strongly recommended to perform design and verification while adequately considering the CPU usage rate of the control plane and influence to communications.

Functions

Conditions

Points to note

Details

COMMIT

From command execution to processing completion

None

CPU values and influence to communications following COMMIT command execution

REST API

From command execution to acknowledge return

Avoid sequential executions, and use at an interval of 30 seconds to 1 minute.

CPU values and influence to communications following REST API execution

SYSLOG

When having written a great deal of traffic logs (several hundreds per second)

When using the [event] mode, suppress the amount of traffic logs to be written. Also, consider logging when in the [stream] mode.

CPU values and influence to communications when writing and transmitting SYSLOGs

Inter-site IPSec tunnel

Until connection completion when connection requests are simultaneously made by multiple sites

Take the following measures for example: performing operations so as to increase the number of sites gradually; decreasing the number of sites; making IPsec connections through multiple vSRXs.

CPU values and points to note when establishing a tunnel between IPSec sites

File forwarding using SCP

File upload/download in progress

None

CPU values and influence to communications at the time of file forwarding using SCP

Log acquisition using the RSI (Request Support Information) command

From command execution to completion

None

CPU values and influence to communications following RSI (Request Support Information) command execution

FQDN filtering

When having cleared DNS information possessed by an apparatus in status where more than several hundreds of FQDN filters have been set

Take the following measures, for example: decreasing the number of FQDN rules; not sequentially executing the command which clears the cache of DNS files.

CPU values and influence to communications with respect to FQDN filtering settings

SNMP trap

Status where one or more SNMP traps are transmitted per second

Decrease the number of the target SNMP traps.

CPU values and points to note when transmitting SNMP traps

SNMP polling

Case where a great deal of values is executed at a time by external SNMP polling (SNMPwalk command)

To deal with, for example, specify OID to some degree and execute the SNMPwalk command, or use the SNMPget command.

CPU values and influence to communications following SNMP polling execution