Rule Profiling Instructions on FireSIGHT System

Available Languages

Updated:September 16, 2014
Document ID:118436

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

If a FirePOWER appliance or NGIPS Virtual appliance is oversubscribed, you need to collect some additional data to determine which component of the device is slowing down the system. Rule profiling enables a FireSIGHT system to generate further data on which rules and subsystems of the detection engine are using the most CPU cycles. This article provides the instructions on how to run rule profiling on FireSIGHT appliance and NGIPS Virtual Appliance.

Prerequisites

Requirements

Cisco recommends that you have knowledge on FirePOWER appliance and the virtual appliance models.

Components Used

The information in this document is based on these hardware and software versions:

  • FirePOWER 7000 Series Appliances, 8000 Series Appliances, and NGIPS Virtual Appliances
  • Software Version 5.2 or later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Warning: Running rule profiling command may impact network performance. Therefore you should run this command only if Cisco Technical Support requests for rule profiling data.

Steps to Run Rule Profiling

Step 1: Access the CLI of the managed device.

Step 2: Run the following rule profiling command for a partcular time. The time must be between 15 and 120 minutes. In the following example, the script is run for 15 minutes.

> system support run-rule-profiling 15

Step 3: Confirm the execution of the command. Type y and press Enter.

Warning:  The rule profiling command restarts the detection engine, which can affect detection functionality, and increase CPU utilization.

> system support run-rule-profiling 15

You are about to profile
  DE    Primary Detection Engine (94854a60-cb17-11e3-a2f5-8de07680f9f3)
  Time  15 minutes

WARNING!!  Detection Engine will be restarted.
Intrusion Detection / Prevention will be affected

Please confirm by entering 'y': y

After confirming the execution, the rule profiling begins. The time to complete the profiling counts down to zero minutes.

Restarting DE for profiling...done
Profiling for 15 more minutes...

Once complete, the shell prompt comes back.

Restarting DE for profiling...done
Profiling...done
Restarting DE with original configuration...in progress
>

Step 4: The rule profiling command generates a .tgz file. you can find the file by running the following command in the shell.

> system file list 
May 12 15:53 99364308 profiling.94854a60-cb17-11e3-a2f5-8de07680f9f3.1399909945.tgz

Step 5: Provide the file to Cisco Technical Support for further analysis.

TAC Authored

Contributed by Cisco Engineers

  • Nazmul Rajib
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products