ASM causing high CPU on bigip 3600 ltm

Ryan,

 

So to your first post, I have heard that Data Guard is a performance hog not sure why and I have not been able to find anything in particular that discusses it but I have seen it somewhere that you will take a performance impact by having it on.

 

Now to the 2nd part of that post, turning off Data Guard does not invalidate ASM, it is one feature within the vast protection types that ASM offers. The majority of the protection comes from a soundly designed application policy by locking down input to the application/service through URLs, Parameter, and Parameter Value validation in conjunction with Attack Signatures. I personally do not use Data Guard and I run over 20 application policies, not because of the performance impact but I don't have a scenario where it is necessary, since it is essentially just an obfuscation technique.

 

 

In my opinion the nice thing about ASM is that it offers the ability to customize protection levels per application based upon the risk level of the application and the end user needs

 

 

I do run DoS protection on a few applications and have seen no significant performance hit for that.

 

 

So my 3900s are dedicated ASMs I do not run LTM on that device as I have them in front and behind the ASMs and they are much bigger boxes, was done mostly for separation of rights and duties not performance. So basically I have and LTM that load balances connection to one of two 3900 ASMs that then send traffic to the same or another LTM to LB to a server pool.

 

 

On each of those 3900 I see an average of 20 - 25mbps with spikes to about 40 occasionally 15 - 25% CPU and 45-50% memory usage again that is per 3900. I run 20 - 25 applications/services through these which equals to roughly 65 policies with varying degrees of security.