Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download ProxySG Performance
Document related concepts
no text concepts found
Transcript
PROXYSG PERFORMANCE Thank you for joining today’s Blue Coat Customer Support Technical Webcast! • The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join • You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers • Audio broadcast will only go live when the Webcast begins – there will be silence until then • The Presentation will run approximately 60 minutes • There will be a 30-minute Q/A session thereafter Please submit questions using the Webex Q/A feature! Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 1 PROXYSG PERFORMANCE WEBCAST PAUL KAO Director Product Management [email protected] December 16, 2014 Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 2 AGENDA ProxySG Overview • Architecture (SGOS, CW, SW, Policy checkpoints) • System resources/metrics Performance Model Factors Impacting Performance • Authentication, ICAP, Policy, SSL, misc. Critical Resource Monitoring • CPU, Memory, CW, network Troubleshooting Performance Problems • Baseline, CPU monitor, Policy trace, Sysinfo Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 3 PROXYSG OVERVIEW Blue Coat Confidential Copyright © 2014 2013 Blue Coat Systems Inc. All Rights Reserved. 4 SGOS OVERVIEW SGOS is a secure, hardened and proprietary OS developed by Blue Coat to be robust and scalable at the highest levels of performance It is unlike other operating systems • Microkernel, message pass architecture using “admin” and “worker” model for processes • Run to completion semantics • Uses an object store (cache engine/cache admin), no file system, no directory structure Policy is deeply integrated into SGOS • Checkpoints at entry/exit of proxy traffic flow to evaluate policy transaction Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 5 SGOS ARCHITECTURE Client Worker (CW) – Processes HTTP session between SG and client Server Worker (SW) – Processes HTTP session between SG and OCS Retrieval Worker (RW) – Pipeline and keeps the content of the cache fresh Specialized Worker – Handles a specific protocol, like streaming, CIFS, etc. Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 6 POLICY CHECKPOINTS server_url.domain= client.address= set(response.header.Set-Cookie, “x") http.response.apparent_data_type= Workers provide available information to policy Policy transaction re-evaluated at each check point Policy decisions are stored a policy ticket Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 7 PROXYSG APPLIANCE PHYSICAL RESOURCES Core appliance resources are: • CPU, Memory, Disk, Network Interface CPU • No CPU throttling - continue to handle more load until appliance is at CPU limit (assuming other resources are available). At this point, requests take longer to process, with longer transaction times. Memory • Threshold Monitor (TM) engages at 80% memory pressure, goes into regulation, which limits HTTP acceptance to reduce rate of processing new incoming connections. Disk • At high disk utilization, back off mechanisms will engage to maintain throughput at the expense of cache efficiency (disk read/writes) Network Interface • Will trigger event log if network interface is saturated (TCP livelock) Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 8 PROXYSG APPLIANCE METRIC USER COUNT & CLIENT WORKER Appliance has fixed CPU/Memory/Disk/Network resources One additional metric – “Licensed Client IP” • From a sizing perspective, “Licensed Client IP” is the maximum unique IPs that a given SG appliance should handle • Usually, Client IP is synonymous with user/employee Licensed Client IP • A “soft” limit on HW appliances • A “hard” limit on Virtual appliances • Performance of appliances constrained by available number of HTTP/TCP-Tunnel “Client Workers” (CW) for processing • Each appliance model has it’s own CW limit CW limit does not limit any other TCP session on SG CW limit is only a count of active client side sessions Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 9 PERFORMANCE MODEL Blue Coat Confidential Copyright © 2014 2013 Blue Coat Systems Inc. All Rights Reserved. 10 PERFORMANCE MODEL Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 11 FACTORS IMPACTING PERFORMANCE 1. 2. Network deployment 3. Authentication mode 4. DNS, Content Filtering 5. ICAP REQMOD (DLP) 6. 7. Client ICAP RESPMOD (CAS) System services, logging 8. 9. Blue Coat Confidential Policy SSL Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 12 PERFORMANCE FACTORS 1. CLIENT Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 13 1. CLIENT SIDE Client to SG connection (client side) • • • • Limited by HTTP/TCP-Tunnel CW User (client IP) is not an enforced metric. User is a model for sizing CW limit does not include other TCP sessions (auth, ICAP, bypass,..) Don’t confuse TCP-Tunnel proxy CW as the TCP connection limit!!! S-Series hardware • S-series models – 5 connections/per user (user = unique client IP) S200-10 S200-20 S200-30 S200-40 S400-20 S400-30 S400-40 S500-10 S500-20 Users Max CW 400 1,200 2,600 5,000 6,000 2,000 6,000 13,000 25,000 30,000 14,000 25,000 30,000 50,000 70,000 125,000 150,000 250,000 Examples: • Financial trader, 50 conns per user • Kiosk, 1 connection per user Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 14 PERFORMANCE FACTORS 2. NETWORK DEPLOYMENT Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 15 2. NETWORK DEPLOYMENT Network 101 • Link/duplex settings WCCP • GRE vs L2 • Set MTU appropriately to avoid fragmentation with GRE Physically Inline (bridging) • Good for smaller sites • Larger sites with significant non web (bypass) traffic that can consume network resources Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 16 PERFORMANCE FACTORS 3. AUTHENTICATION MODE Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 17 3. AUTHENTICATION Evaluated at CI Choice of Authentication mode can impact performance • Explicit proxy with NTLM: SG issues a 407 challenge for each connection • IP Surrogate: After initial authentication, will use authentication cache • Kerberos: credentials validated without need to contact DC NTLM does not scale well • NTLM credential cannot be cached, and must be validated by DC • Default Windows configuration processes only one request at a time via Schannel • Exacerbated by latency and load on DC (SG-DC or SG-BCAA-DC) Kerberos preferred for scalability Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 18 PERFORMANCE FACTORS 4. DNS, CONTENT FILTERING Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 19 4. DNS, CONTENT FILTER DNS • Not a high consumer of CPU, but can be cause of latency • If external DNS servers are slow/overloaded, Proxy will amplify the problem • Use caution for policies/logging that trigger RDNS lookups Content Filtering (evaluated at Client In) • BCWF – Efficient categorization for high performance – Settings for lower memory footprint appliances • Web Pulse DRTR – Minimal overhead Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 20 PERFORMANCE FACTORS 5. ICAP REQMOD (DLP) Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 21 5. ICAP GENERAL & ICAP REQMOD ICAP – Internet Content Adaptation Protocol • Used to vector both REQuest and RESPonse traffic for scanning ICAP – General Performance considerations • • • • • Persistent connection with re-use Sufficient ICAP connections to handle throughput or queuing will occur Relatively “expensive” – content must be sent over ICAP Policy dictates how much content is sent (ICAP best practices) Worst case is all content sent to ICAP ICAP REQMOD evaluated at CI (before Server Out) Scan data on outbound request • Scanning POST body data Incremental cost due to low volume of data (POST body data) Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 22 PERFORMANCE FACTORS 6. ICAP RESPMOD (CAS/AV) Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 23 6. ICAP RESPMOD (CONTENT ANALYSIS) Evaluated at Server In (SI) Higher cost due to volume of incoming request data For ICAP RESPMOD, cache to disk for performance (no need to return payload when response is 204 No Modification) Infinite Streams • ICAP deferred connections • ICAP mirroring (SG6.5) Secure ICAP • SSL cost in initial connection setup • SSL overhead of bulk encryption low Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 24 PERFORMANCE FACTORS 7. SYSTEM SERVICES Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 25 7. SYSTEM SERVICES Access logging • Log entry written when connection is complete • A few percent overhead when enabled • Obviously more overhead if multiple log facilities in use Health Checks SNMP Attack Detection Failover, SGRP (VRRP) Connection Forwarding Scripts, polling of local policy Snapshots, Debug logs Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 26 PERFORMANCE FACTORS 8. POLICY Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 27 8. POLICY AND CPU Policy impact can range from minimal to majority of CPU cost on SG Look for policy best practices • Avoid regexes, order rules most likely to match first, group rules, etc. A point of reference • Policy used for SWG/ICAP/SSL consumes about 15% of total CPU – Scale appropriately for higher/lower policy usage – Variation across platforms – Only use as a rule of thumb – Not guaranteed to be exact – May change in the future Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 28 PERFORMANCE FACTORS 9. SSL Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 29 9. SSL INTERCEPT Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 30 CERTIFICATE EMULATION STATISTICS (SG6.5.5.1) SSL Statistics (in Sysinfo and SSL/Statistics URL) https://SG_IP:8082/SSL/statistics Certificate Emulation SPS51 Total certificates emulated 2,264 SPS52 Total RSA 2048 bit key certificates emulated 2,250 SPS53 Current cached emulated server certificates 1,078 SPS54 Total emulated server certificates added to cache 1,390 SPS55 Total emulated server certificates removed from cache due to timeout 0 SPS56 Total emulated server certificates removed from cache due to maxsize 0 SPS57 Total emulated server certificates removed from cache due to signature mismatch 312 SPS58 Total emulated server certificates removed from cache due to config changes 0 SPS59 Total emulated server certificates add to cache failures 874 SPS61 Total server certificate cache successful lookups 42,109 SPS62 Total proxy certificates emulated 5 SPS63 Total certificate emulation failures 0 % certificate emulation change = SPS51 / (SPS51 + SPS61) In steady state, % of new emulations should be very small Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 32 SSL & WILDCARD CERTIFICATES Wildcard certificates (e.g., *.google.com and others) • • • • • Google and other properties starting to use wildcard certificates Wildcards allow certs with the same CN to appear on multiple servers. Different servers have different certs (different expiration, keys, extensions, etc.) SG’s emulated certificates are cached using “CN” as the key value SG is seeing these different certs all with the same CN, causing a collision in the certificate cache and forcing SG to re-emulate certificate • This can lead to high CPU on all SG6.x versions (6.2 through to 6.5) • Future certificate cache enhancement planned, use policy resolution below Wildcard certificates Resolution • Install the following policy (creates a unique instance for each certificate) <ssl-intercept> ssl.forward_proxy(https) ssl.forward_proxy.splash_text("$(xrs-certificate-serial-number)$(x-rs-certificate-validfrom)$(x-rs-certificate-valid-to)") • Monitor efficacy using % certificate emulations (=SPS51 / (SPS51 + SPS61)) Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 33 SSL PROXY CERTIFICATE CACHE Advanced URL https://SG_IP:8082/sslproxy/certcache SSL Proxy Certificate Cache URL_Path /sslproxy/certcache <PRE>Certificate Cache Contents Number of cache entries: 1078 Common Name, Splash Text, Splash URL, Server Keyring rtax.criteo.com,, $(x-rs-certificate-serial-number) cloudfront.net,, www.bgov.com,, s3.wpc.edgecastcdn.net,, www.palottery.state.pa.us,, beacon.walmart.com,, $(x-rs-certificate-valid-from) $(x-rs-certificate-valid-to) *.linkedin.com, 020000000001456FAAB168CFFE4A Apr 17 12:30:30 2014 GMT Apr 17 12:30:30 2015 GMT, beis.cc.iup.edu,, www.syncaccess.net,, *.widget.custhelp.com,062306473BAC372720E3496C661336F0Feb 28 00:00:00 2014 GMTMar 30 23:59:59 2015 GMT, ads.dotomi.com,02F7CASep 3 03:33:55 2014 GMTNov 5 14:50:00 2015 GMT, *.wer.microsoft.com,28DB34EB000100005898Apr 4 17:56:38 2013 GMTApr 4 17:56:38 2015 GMT, *.ebay.com,, *.googleusercontent.com,, *.reson8.com,D3C03378DC74A2ABF36132E69E273C45Jun 2 00:00:00 2014 GMTJul 21 23:59:59 2015 GMT, stage.tracker.springserve.com,, services.addons.mozilla.org,, *.tapad.com,024906Jun 2 08:10:18 2013 GMTSep 3 03:30:13 2016 GMT, *.dropbox.com,, Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 34 WILDCARD CERTIFICATE RESOLUTION VPM From VPM, edit SSL-Intercept layer Click on "Splash Text" and paste the below text in the box: $(x-rs-certificate-serialnumber)$(x-rs-certificate-validfrom)$(x-rs-certificate-valid-to) Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 35 CRITICAL RESOURCE MONITORING & TROUBLESHOOTING PERFORMANCE Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 36 CRITICAL RESOURCE MONITORING What key metrics should be monitored? • • • • • CPU Utilization Memory Pressure Network Throughput Client side HTTP connections (CWs) Response time through ProxySG (and DNS response time) Establish a Baseline and Peak utilization • • • • Beware trend averages over long time intervals that “flatten” peaks Identify true peak CPU utilization in busy hour Peak CPU typically correlates with memory and connections Baseline CPU distribution across components with CPU monitor SNMP MIBs • See BLUECOAT-SG-PROXY-MIB.txt for resource monitoring • Also BLUECOAT-SG-ICAP-MIB.txt has been added in SG6.5 See “Critical Resource Monitoring of the ProxySG” on BTO • Has the connection limit for each platform Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 37 TROUBLESHOOTING PERFORMANCE Common performance issues • High CPU • Slowness Easier to troubleshoot if you have already established a point of reference (baseline) Issue repeatable? Time of occurrence • Over a long period of time? • Over a short period of time? • Intermittent? Tools • CPU Monitor • Sysinfo snapshots • Policy trace Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 38 TROUBLESHOOTING PERFORMANCE HIGH CPU External Network Factors • Typically not going to be cause of high CPU on SG Dependent Factors • Problem with Authentication server or Auth configuration (Kerberos falling back to NTLM) Internal factors • • • • • Audit config changes to SG – complex policy/regexes? Loops – authentication, forwarding loops Upgrade of SG version/bug? Undersized? Self inflicted - enabling snapshots/debug logs too frequently? Traffic patterns that change SG resource utilization • • • • Change in traffic pattern resulted in lack of available resources Change in traffic pattern hitting expensive policy Under attack? – Viruses, rogue apps, open proxy Bug? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 39 TROUBLESHOOTING PERFORMANCE HIGH CPU Data collection • Enable CPU monitor • Create and enable 5 min snapshots • Don’t change the existing daily or hourly snapshot values Is high CPU constant, randomly spiking or just at peak busy hour? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 40 TROUBLESHOOTING PERFORMANCE HIGH CPU EXAMPLE 1 Example-1 >>>> CPU is high for Policy evaluation CPU Monitor Lots of regex rules in policy Very complex policy (lots of rules) Authentication problem High number of transection per sec CPU 0 97% Policy evaluation - HTTP 81% HTTP and FTP 5% Object Store 5% Access Logging 2% Miscellaneous 1% CPU 1 94% Policy evaluation - HTTP 75% TCPIP 11% HTTP and FTP 5% DNS service 1% Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 41 TROUBLESHOOTING PERFORMANCE HIGH CPU EXAMPLE 2 Example-2 >>>> CPU is high in Object Store CPU Monitor System had hard time to read or write anything to disk. Indicate problem with Disk. CPU 0 100% Object Store ce_admin Access Logging CPU 1 98% 97% 1% 19% TCPIP 8% tcpip HTTP and FTP 7% 6% http 1% kernel 1% Policy evaluation - HTTP policy_enforcement Blue Coat Confidential 3% 1% Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 42 TROUBLESHOOTING PERFORMANCE HIGH CPU EXAMPLE 3 Example-3 >>>> CPU is high across multiple components CPU Monitor: Configured interval duration: 5 seconds Current interval complete in: 2 seconds CPU 0 CPU is almost evenly distributed between HTTP and FTP TCPIP Object store Policy evaluation Load/sizing issue 77% TCPIP 31% HTTP and FTP 17% Object Store 13% Policy evaluation - HTTP 7% DNS service 1% Access Logging 1% Miscellaneous 1% Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 43 TROUBLESHOOTING PERFORMANCE HIGH CPU EXAMPLE 4 Example-4 >>>> CPU is high in TCP Configured interval duration: 5 seconds Current interval complete in: 0 seconds CPU 0 Too much bypass traffic. Too many TCP connections. May be a TCP attack. Too many entries in time wait state. 35% Object Store 14% HTTP and FTP 13% Policy evaluation - HTTP 3% Miscellaneous 2% CPU 1 100% TCPIP HTTP and FTP 5% Policy evaluation - HTTP 1% DNS service 1% Blue Coat Confidential 90% Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 44 TROUBLESHOOTING PERFORMANCE SLOWNESS Can be difficult to troubleshoot, especially if intermittent External Network Factors • audit change requests to (upstream) network (over last week) • E.g., new FW installed last weekend • Network: Packet loss, retransmissions, asymmetric routing Dependent Factors • DNS, Authentication, 3rd party ICAP servers Internal factors • Audit config changes to SG, starting with most recent (work backwards to last 2-3 days if intermittent problem) Traffic patterns that change SG resource utilization • SSL ciphers • Attack/bot Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 45 TROUBLESHOOTING PERFORMANCE SLOWNESS Data collection • May require multiple rounds of troubleshooting (PCAP & Sysinfo snapshots) – Easiest to target specific client or server to test – May need to test with different configurations and capture with different filter to narrow down the issue • Important to analyze Snapshots. – Check if resource load are high (e.g. CPU, memory, HTTP worker and etc.) – Check on any priority 1 events & health check occurred during the time of the issue. – Check on the trend of the issue (how frequent it occurs and any correlation with other components or stats) Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 46 SUMMARY ProxySG Architecture • Appliance resources, CW limit Performance Model Factors Impacting Performance • ICAP (built into sizing model/guide) • Policy (sky is the limit) • SSL (SSL traffic mix amount of SSL decryption) Resource and Health Monitoring • Critical resource monitoring • Health monitoring Troubleshooting • Importance of establishing a performance baseline • Tools to troubleshoot performance Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 47 Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 48 THANK YOU FOR JOINING TODAY! Please provide feedback on this webcast and suggestions for future webcasts to: [email protected] Webcast replay and slide deck found here within 48 hours: https://bto.bluecoat.com/training/customersupport-technical-webcasts (Requires BTO log-in) Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 49 BLUE COAT CUSTOMER FORUMS Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers Research, post and reply to topics relevant to you at your own convenience Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track Access at forums.bluecoat.com and register for an account today! Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 50 QUICK SURVEY We are truly committed to continuous improvement for these Technical Webcasts. At the end of the event you will be redirected to a very short survey about satisfaction with this Program. Please help us out by taking two minutes to complete it. Thank you! Questions for Paul? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 51 Questions? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 52 PROXYSG PERFORMANCE WEBCAST QUESTIONS Q1:Is a Client Worker (CW) created for every HTTP connection? or a single CW can handle multiple HTTP connections? Q2: The cost with the wildcard certificates -- does that generate a lower "cost" in a reverse proxy model where the wildcard cert is on the proxy, not on the OCS/Internet? Q3: How does Licensed Client IP correlate to Concurrent users? Q4: Is it possible to monitor the number of client connections per IP in the SG? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 53 PROXYSG PERFORMANCE WEBCAST QUESTIONS Q5: So I notice that BC has recommended the S-series to replace many 510/810/300/600 ProxySG's - does this mean the S-series is exactly the same or are they truly an improvement in performance and connection numbers? Q6: In "Critical Resource Monitoring" Guide talks about Connection limit per device... that's the same than CW that has that particular model? Q7: What about multiple users on a single Citrix server? Licenses Q8: Client side, how will you typically handle the reach of TCP limit (65,000) for a specific IP in the larger models that could handle a lot more connections? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 54 PROXYSG PERFORMANCE WEBCAST QUESTIONS Q9: Note: IP surrogate won't work in a NATed load balancer configuration. About IP surrogate, do you have advice about implementation. Especially about the possibility that one IP can be shared between users (hiding IP or Citrix users)? Q10: we are currently logging the category of URLs. What kind of impact can we expect if we add the application field in our logs for BCWF? Q11: where can we view utilization on the proxy like the pie graph like the BC SWG policy pie chart? Q12: Can you talk about ECDHE, from a performance standpoint, what should the default policy be set to? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 55 PROXYSG PERFORMANCE WEBCAST QUESTIONS Q13: for ICAP, will the proxy perform better if a dedicated interface is assigned for ICAP communication versus the same interface for all other user traffic? Q14: Today's sizing guides assumes 15% of SSL traffic. That's not realistic. At least 60% of Web browsing is SSL. Is there any sizing guide that assumes higher SSL percentage use? We're having serious problems sizing the right SG to our customers. Q15: Will be sysinfo "reader" (tool that support rep uses) available for channels? Q16: For troubleshooting we saw recommendations to add snapshots every 5 minutes. How much free CPU resources (%) should be free to enable this without generating a new problem ? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 56 PROXYSG PERFORMANCE WEBCAST QUESTIONS Q17: When the ProxySG is in high CPU/high memory panic mode.. is there anything we can do to bring that down other than reboot the device? Q18: Regarding the CW limit: We've long seen it as our primary bottleneck. Does Bluecoat publish the CW figures publically yet, or do we have to ask our VAR to get the figures on the proxy models at purchase time? Q19: does rebooting the proxy impact performance from a caching standpoint? Q20: Hi, regarding memory pressure - do I understand correctly that while the proxy is in the regulation state, it just regulates NEW client connections but keeps processing the active ones? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 57 PROXYSG PERFORMANCE WEBCAST QUESTIONS Q21: Is it common to see a small amount of traffic bound for blocked URLs on our outside sensors? Is this part of the handshake process before the block is implemented? Q22: Good morning. Regarding the licensed client IP... Is there a way for us to identify the "soft" limit on the ProxySG's GUI or CLI? Q23: Is there a way to monitor the number of CWs in use? Q24: What is the cost of running Trace layers (80 and 443) in the VPM? Q25: What might it indicate if the memory utilization is significantly higher than the cpu utilization on average? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 58 PROXYSG PERFORMANCE WEBCAST QUESTIONS Q26: For bandwidth performance issues. Is there a way to see who is downloading what in real-time? Q27: If the network throughput is above the recommended threshold by bluecoat but CPU is still normal, will this cause any issue on performance? Q28: From a performance standpoint. What are the recommendations around attack detection and delete on abandonment? Blue Coat Confidential Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 59
