Forum Discussion
NimbostratusDoes clone pooling affect performance?
We have been asked by our security team to enable X-forwarded-for as a default for the HTTP profile as well as enable clone pooling for all urls on the LTMs.
-
Are there any performance issues that I should be concerned about regarding clone pooling? Does it cause an increased demand on system resources? Are you aware of any issues that could occur with customer traffic as a result of enabling clone pooling?
-
We have enabled x-forwarded-for in the past for specific urls. We are now asked to enable it for all urls? Are you aware of any issues caused by enabling x-forwarded-for?
The LTMs are on version 9.4.7 (which will be upgraded over the next few months).
Thanks.
5 Replies
- Kevin_Stewart
Employee
Are there any performance issues that I should be concerned about regarding clone pooling? Does it cause an increased demand on system resources? Are you aware of any issues that could occur with customer traffic as a result of enabling clone pooling?
Haven't done an immense amount of performance testing with clone pools enabled, but considering that it's basically like a port mirror, there should be negligible performance impact. Understand of course that because it's mirroring traffic at such a low level in the stack, if your incoming and/or outgoing data is encrypted (ie. https), then your cloned traffic will also be encrypted.
We have enabled x-forwarded-for in the past for specific urls. We are now asked to enable it for all urls? Are you aware of any issues caused by enabling x-forwarded-for?
It's basically just a header insert, so the only performance consideration I can think of is the additional few bytes of header information placed on the wire. How any given application may handle that header is completely independent of proxy performance.
Cory_50405Noctilucent
Enabling X-forwarded-for in the HTTP profile will just insert a header. Not resource intensive at all. It won't cause any issues by enabling it. It'll only enable functionality at the server level if the application is configured to look at that header.
Adding a clone pool to your virtual servers could generate a lot of additional traffic, depending on how you are going to do it. The amount of traffic you'll be cloning could be significant if there's a large volume of traffic going through your appliance. Will you be cloning just client side traffic, just server side traffic, or both?
I guess the question really is what level of resource utilization are you at now in terms of CPU and memory usage?
mnb_63148Thanks, Cory and Kevin. For X-forwarded-for traffic, my concern would be in how the app handles it. I haven't seen any application issues yet using it in the past, but wasn't sure if it could potentially cause an application issue. The LTMs that get hit the most in terms of traffic are 6400s. CPU 0 fluctuates between 50-70% on average. Sometimes it spikes to the 90% range. CPU 1 is at 0. I think the security team wants server side traffic.- Cory_50405Another thing to consider is link saturation. Depending on which interface is used to clone traffic to an IDS/IPS (if not a separate interface from normal production traffic), you could impact applications. As Kevin points out, the cloning of traffic shouldn't cause much of a resource burden on the BIG-IP. Adding in an X-forwarded-for header has never broken any application that I'm aware of. It either just goes unused or the application is configured to use it in some way.
- mnb_63148Thanks!
