Performance Profile

The performance profile determines how the CPU cores on the device are assigned to two of the main system processes: the data plane (Lina) and Snort. The data plane handles VPN connections, routing, and other basic layer 3/4 processing. Snort provides advanced inspection, including intrusion and malware prevention, URL filtering, application filtering, and other features that require deep packet inspection.

If you use a balance of basic and advanced features, do not change the performance profile. The system is designed to provide a balanced assignment of cores to these processes. The assignment differs based on the hardware model.

However, if you use the device primarily for VPN, or for intrusion and other advanced inspection, you can skew the performance profile so that more cores are assigned to the more heavily used features. This might improve system performance.

Before you begin

  • These settings apply to systems running release 7.3+ only.

  • Performance profile is supported on the following device types:

    • Firepower 4100/9300

    • Secure Firewall 3100/4200 (7.4+)

    • Secure Firewall Threat Defense Virtual

  • Changing the performance profile is not supported on units in a cluster or high-availability group, or those configured for multi-instance. Deployment is blocked if you assign the profile to anything but standalone devices.

  • The minimum number for core allocation is 2. Cores are assigned in even numbers based on the selected performance profile.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Select Performance Profile.

Step 3

Select a profile:

  • Default—This is the recommended setting and is the best option if you configure both VPN and intrusion inspection.

  • VPN Heavy with prefilter fastpath—If you primarily use the device as a VPN endpoint or headend, and you configure rules in the prefilter policy to fastpath VPN traffic, you can choose this option to assign the majority of CPU cores to the data plane. The allocation is 90% data place, 10% Snort.

  • VPN Heavy with inspection—If you primarily use the device as a VPN endpoint or headend, but do not use the prefilter policy to fastpath VPN traffic, you can choose this option to assign the majority of CPU cores to the data plane. This option assumes that you leave intrusion inspection, URL filtering, and other advanced functions that use Snort, to a different device in the network. The allocation is 60% data plane, 40% Snort.

  • IPS Heavy—If you do not configure VPN, but you do use the device for intrusion prevention, you can choose this option to assign the majority of CPU core to the Snort process. The allocation is 30% data plane, 70% Snort.

Step 4

Click Save.

Step 5

Deploy the policy.

Step 6

After deployment completes, you must reboot each affected device so that the new core assignments can be made.