Configure a performance profile

Configure the performance profile to control how CPU cores are allocated between the data plane and Snort processes on supported devices. This configuration optimizes device performance for VPN, improves intrusion prevention, or balances the workload.

The performance profile determines how the CPU cores on the device are assigned to two of the main system processes: the data plane (Lina) and Snort. The data plane handles VPN connections, routing, and basic layer 3/4 processing. Snort provides advanced inspection for intrusion and malware prevention, URL filtering, application filtering, and other deep packet inspection features.

If you use both basic and advanced features, keep the performance profile unchanged. The system is designed to provide a balanced assignment of cores to these processes. This assignment differs based on the hardware model.

However, if you use the device primarily for VPN, or for intrusion and other advanced inspection, you can skew the performance profile so that more cores are assigned to the more heavily used features. This change can improve system performance.

Before you begin

  • These settings apply to systems running release 7.3+ only.

  • Performance profile is supported on these device types:

    • Firepower 4100/9300

    • Secure Firewall 3100/4200 (7.4+)

    • Secure Firewall 6100(10.0+)

    • Secure Firewall Threat Defense Virtual

  • Changing the performance profile is not supported on units in a cluster or high-availability group, or those configured for multi-instance. Deployment is blocked if you assign the profile to anything but standalone devices.

  • The minimum number for core allocation is 2. Cores are assigned in even numbers based on the selected performance profile.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select Performance Profile.

Step 3

Select a profile:

  • Default—This is the recommended setting and is the best option if you configure both VPN and intrusion inspection.

  • VPN Heavy with prefilter fastpath—If you primarily use the device as a VPN endpoint or headend, and you configure rules in the prefilter policy to fastpath VPN traffic, you can choose this option to assign the majority of CPU cores to the data plane. The allocation is 90% data plane, 10% Snort.

  • VPN Heavy with inspection—If you primarily use the device as a VPN endpoint or headend, but do not use the prefilter policy to fastpath VPN traffic, you can choose this option to assign the majority of CPU cores to the data plane. This option assumes that you leave intrusion inspection, URL filtering, and other advanced functions that use Snort, to a different device in the network. The allocation is 60% data plane, 40% Snort.

  • IPS Heavy—If you do not configure VPN, but you do use the device for intrusion prevention, you can choose this option to assign the majority of CPU core to the Snort process. The allocation is 30% data plane, 70% Snort.

Step 4

Click Save.

Step 5

Deploy the policy to apply your configuration.

Step 6

After deployment completes, reboot each affected device to apply the new core assignments.

After completing these steps, the device will use the selected performance profile and allocate CPU cores according to your configuration. The new core assignments take effect after you reboot the device.