ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Chuck
Posts: 32
Registered: ‎02-03-2009
0

AV impacts to performance on an SSG140

We are currently in the process of testing out the use of AV on our Junipers. Our initial results of the performance hit one takes when utilizing this feature is very astonishing. for example, FTP transfers take 10 times (1000%) longer. HTTP file downloads 50% longer, and if you remove the Juniper ignore list, especially for PDF files, it increases to 3 times (300%).

 

 

Note that we have had to make modifications to the default ns-profile for AV, for when we attempted to use that profile, FTP file transfers either failed or if successful provide no transfer completed messages. There have been several other modifications to the Scan profile in order for the FTP file transfers to work

 

Just wondering if anyone else has performed the extensive controlled testing in a lab environment in regards to AV as we are doing?

Trusted Expert
Automate
Posts: 784
Registered: ‎11-01-2007
0

Re: AV impacts to performance on an SSG140

Can you tell us on which version of software you did your tests?

 

Thx

 

-Keith

xit
New User
xit
Posts: 1
Registered: ‎03-16-2009
0

Re: AV impacts to performance on an SSG140

Chuck,

 

I know this is an older ticket, but it is an ongoing issue for probably everyone.  It just so happens we also have been working on using AV on our SSG-140.  We even opened up a ticket with JTAC Case #2010-0105-0324.  The current response we are getting from JTAC is that 'things just slow down when you have AV enabled'. 

 

So we have to accept a 1.5 Mbps upload speed compared to 15 Mbps upload speed prior to AV?  Then we lost 30 Mbps on our downloads with AV active.  Large file downloads fail most of the time.  I am curious to know if there was anything you adjusted after your testing to get your throughput up a little, or if this is as good as it got for you.  I am running 6.2r1, which did help a tiny bit compared to 6.0 that I was running. 

Contributor
amol_waghmare
Posts: 24
Registered: ‎09-22-2009
0

Re: AV impacts to performance on an SSG140

HI,

Me too faced same problem. I think juniper must have suggested AV on higher end products. Instead i choosed to ignore the packet if unable to scan. and the speed got restored to some extent but with this the AV feature is useless.

 

I would suggest to create two policies :

1) For FTP ,445 port traffic separate AV profile

2) for all traffic different AV profile.

 

Although i haven't tried this , but i think atleast web browsing will improve and donwload will slow down, which can be acceptable.

 

Thanks

##########################################################################################################
If any of the solutions answers your query please "MARK IT AS ACCEPTED SOLUTION" and if it helps you please say thanks by Kudos
##########################################################################################################
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.