IBM Support

Unit Utilization Thresholds for Sniffer Memory on a 64 bit Guardium Appliance can appear too low causing false alerts.

Question & Answer


Question

Unit Utilization Thresholds for Sniffer Memory on a 64 bit Guardium Appliance can appear too low causing false alerts.

Cause

The newer 64 bit Guardium appliances have a larger memory allowance for the inspection-core (sniffer)
Some Unit Utilization thresholds may show and use historical levels as for the lower spec 32 bit appliances..

Answer

You can check the current levels with the grdapi comand from cli - for example

    grdapi list_utilization_thresholds

      vmguard11.hursley.ibm.com> grdapi list_utilization_thresholds
      Number Of Restarts            :  Low <= 2  Medium  <= 4 < High
      Sniffer Memory                :  Low <= 2200000  Medium  <= 2400000 < High
      ..etc..

There are cli commands that will allow you to get and set the Maximum Sniffer Memory -

    support show snif_memory_max
    support store snif_memory_max

    for instance to show the current setting
      vmguard11.hursley.ibm.com> support show snif_memory_max
      33%
      ok

    Note that the values that can be set are restricted to 33,50 or 75 % of the total available memory on the system

The latest v9p600 GPU , v10 and higher can make use of the following feature and set the thresholds to a more meaningful level.

It is possible to work out roughly what you might expect the Sniffer Memory to be - for example find the total memory of your appliance - from cli run

    support show top memory

    top - 16:24:09 up 19 days,  2:54,  2 users,  load average: 0.04, 0.04, 0.00
    Tasks: 109 total,   1 running, 106 sleeping,   1 stopped,   1 zombie
    Cpu(s):  0.6%us,  0.4%sy,  0.0%ni, 99.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
    Mem:  24554292k total, 24218984k used,   335308k free,   344740k buffers
    Swap:  5245180k total,      112k used,  5245068k free, 13271252k cached
    ..etc.
    Here we have Mem: 24554292k total ~ 24GB

    A snif_memory_max of 33% would mean we would expect roughly 24554292 *0.33 = 8102916.36 ( about 8GB of the memory )

    so we would expect to see roughly that figure with grdapi list_utilization_thresholds

    However currently we have a low setting

      vmguard11.hursley.ibm.com> grdapi list_utilization_thresholds

      Number Of Restarts            :  Low <= 2  Medium  <= 4 < High
      Sniffer Memory                :  Low <= 2200000  Medium  <= 2400000 < High
      ..etc..

To set a more reasonable figure you will need to request IBM Technical Support who can enter the key needed to unlock this command - support store snif_memory_max

    vmguard11.hursley.ibm.com> support store snif_memory_max 33

    Please enter access key to unlock support store snif_memory_max command:

    Please restart sniffer processes to use new memory values
    ok
    vmguard11.hursley.ibm.com> stop inspection-core
    Stopping inspection core
    Please do not forget to manually start the Inspection Core after maintenance
    is done.
    ok
    vmguard11.hursley.ibm.com>  start inspection-core
    Starting inspection core
    Started.
    ok


now list the thresholds

    vmguard11.hursley.ibm.com> grdapi list_utilization_thresholds

    Number Of Restarts            :  Low <= 2  Medium  <= 4 < High
    Sniffer Memory                :  Low <= 4861132  Medium  <= 6886604 < High
    ..etc..

From this point on the alerts checks will be made against these new higher sensible levels


[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21973816

Page Feedback