Use the Rule Profiler

Before you begin

You must have Version 7.6 or later devices with Snort 3 to use Rule Profiling.

Procedure

Step 1

From the management center, choose Devices > Snort 3 Profiling.

Step 2

Click the Rule Profiling tab.

Step 3

From the Select device for Rule Profiling drop-down list, choose a device for rule profiling.

Note

You can run multiple profiling sessions simultaneously on different devices.

Step 4

To start a rule profiling session, click Start. (The session automatically stops after 120 minutes.)

You can stop the profiling session at any time by clicking Stop. However, canceling it before the scheduled 120 minutes might not give precise results.

Note

While the rule profiling session is in progress, a task is created. Click Notifications > Tasks to view the details.

The latest profiling result is automatically displayed in the Rule Profiling Results section. The table contains statistics for the rules that took the most time to process (sorted in descending order) by the total time (in microseconds [µs]). You can view the IPS rule profiler output in tabular format:

  • % of Snort Time: Time spent for processing the rule, relative to the total time of the Snort 3 operation.

  • Rev: Revision number of the rule.

  • Checks: Number of times the IPS rule was executed.

  • Matches: Number of times the IPS rule fully matched in the traffic.

  • Alerts: Number of times the IPS rule triggered an IPS alert.

  • Time: Time (in microseconds) spent by Snort in checking the IPS rule.

  • Avg/Check: Average time spent by Snort on a single check of the rule.

  • Avg/Match: Average time spent by Snort on a single check, which resulted in a match.

  • Avg/Non-Match: Average time spent by Snort on a single check, which did not result in a match.

  • Timeouts: Number of times the rule exceeded the Rule Handling - Threshold configured in the Latency-Based Performance Settings of the access control policy.

  • Suspends: Number of times the rule was suspended due to consecutive threshold violations.

Step 5

(Optional) Click Download Snapshot to download the profiling result. The downloaded file is in CSV format and contains all the fields from the profiling results page.

Step 6

(Optional) Click the Filter by % of Snort time toggle button to filter out rules whose execution took more than n% of the profiling time. In general, a rule is considered as performing unsatisfactorily if it consumes 0.2% or more of Snort’s overall processing time.

Step 7

(Optional) Use the Search field to search through the fields in the Rule Profiling Results table.

Step 8

(Optional) Click the Rule Profiling History section (collapsible panel on the left) to expand it and view a set of cards representing the previous profiling sessions for a chosen device. When you click a card from the history, the details are displayed in the Rule Profiling Results section.

Note

If you initiate a deployment while rule profiling is running, the profiling session is automatically terminated to accommodate the deployment, except for deployments resulting from changes to the access control policy rules and security intelligence. You must run the rule profiling for the device again.