Forum Discussion
mnb_63148
Nimbostratus
NimbostratusDoes clone pooling affect performance?
We have been asked by our security team to enable X-forwarded-for as a default for the HTTP profile as well as enable clone pooling for all urls on the LTMs.
Are there any performance issues ...
Cory_50405
Noctilucent
NoctilucentEnabling X-forwarded-for in the HTTP profile will just insert a header. Not resource intensive at all. It won't cause any issues by enabling it. It'll only enable functionality at the server level if the application is configured to look at that header.
Adding a clone pool to your virtual servers could generate a lot of additional traffic, depending on how you are going to do it. The amount of traffic you'll be cloning could be significant if there's a large volume of traffic going through your appliance. Will you be cloning just client side traffic, just server side traffic, or both?
I guess the question really is what level of resource utilization are you at now in terms of CPU and memory usage?
mnb_63148Thanks, Cory and Kevin. For X-forwarded-for traffic, my concern would be in how the app handles it. I haven't seen any application issues yet using it in the past, but wasn't sure if it could potentially cause an application issue. The LTMs that get hit the most in terms of traffic are 6400s. CPU 0 fluctuates between 50-70% on average. Sometimes it spikes to the 90% range. CPU 1 is at 0. I think the security team wants server side traffic.- Cory_50405Another thing to consider is link saturation. Depending on which interface is used to clone traffic to an IDS/IPS (if not a separate interface from normal production traffic), you could impact applications. As Kevin points out, the cloning of traffic shouldn't cause much of a resource burden on the BIG-IP. Adding in an X-forwarded-for header has never broken any application that I'm aware of. It either just goes unused or the application is configured to use it in some way.
- mnb_63148Thanks!
