Question & Answer
Question
Unit Utilization Thresholds for Sniffer Memory on a 64 bit Guardium Appliance can appear too low causing false alerts.
Cause
The newer 64 bit Guardium appliances have a larger memory allowance for the inspection-core (sniffer)
Some Unit Utilization thresholds may show and use historical levels as for the lower spec 32 bit appliances..
Answer
You can check the current levels with the grdapi comand from cli - for example
- grdapi list_utilization_thresholds
vmguard11.hursley.ibm.com> grdapi list_utilization_thresholds
Number Of Restarts : Low <= 2 Medium <= 4 < High
Sniffer Memory : Low <= 2200000 Medium <= 2400000 < High
..etc..
There are cli commands that will allow you to get and set the Maximum Sniffer Memory -
support show snif_memory_max
support store snif_memory_max
for instance to show the current setting
- vmguard11.hursley.ibm.com> support show snif_memory_max
33%
ok
Note that the values that can be set are restricted to 33,50 or 75 % of the total available memory on the system
The latest v9p600 GPU , v10 and higher can make use of the following feature and set the thresholds to a more meaningful level.
It is possible to work out roughly what you might expect the Sniffer Memory to be - for example find the total memory of your appliance - from cli run
- support show top memory
top - 16:24:09 up 19 days, 2:54, 2 users, load average: 0.04, 0.04, 0.00
Tasks: 109 total, 1 running, 106 sleeping, 1 stopped, 1 zombie
Cpu(s): 0.6%us, 0.4%sy, 0.0%ni, 99.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 24554292k total, 24218984k used, 335308k free, 344740k buffers
Swap: 5245180k total, 112k used, 5245068k free, 13271252k cached
..etc.
- Here we have Mem: 24554292k total ~ 24GB
A snif_memory_max of 33% would mean we would expect roughly 24554292 *0.33 = 8102916.36 ( about 8GB of the memory )
so we would expect to see roughly that figure with grdapi list_utilization_thresholds
However currently we have a low setting
vmguard11.hursley.ibm.com> grdapi list_utilization_thresholds
Number Of Restarts : Low <= 2 Medium <= 4 < High
Sniffer Memory : Low <= 2200000 Medium <= 2400000 < High
..etc..
To set a more reasonable figure you will need to request IBM Technical Support who can enter the key needed to unlock this command - support store snif_memory_max
- vmguard11.hursley.ibm.com> support store snif_memory_max 33
Please enter access key to unlock support store snif_memory_max command:
Please restart sniffer processes to use new memory values
ok
vmguard11.hursley.ibm.com> stop inspection-core
Stopping inspection core
Please do not forget to manually start the Inspection Core after maintenance
is done.
ok
vmguard11.hursley.ibm.com> start inspection-core
Starting inspection core
Started.
ok
now list the thresholds
- vmguard11.hursley.ibm.com> grdapi list_utilization_thresholds
Number Of Restarts : Low <= 2 Medium <= 4 < High
Sniffer Memory : Low <= 4861132 Medium <= 6886604 < High
..etc..
Related Information
[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21973816