Bug ID 734762: Automatic policy learning is slower when there are thousands of policies

Last Modified: Sep 17, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1

Fixed In:
14.1.0

Opened: Jul 15, 2018
Severity: 3-Major

Symptoms

Policy learning takes longer than previous versions when there are thousands of policies.

Impact

It takes longer for the system learn all the policies.

Conditions

-- Specific load over thousands of policies. -- Automatic policy building. -- Requests do not have violations.

Workaround

To work around this, set the following variable to 100: pb_sampling_high_cpu_load Note: The default is 10, which gets 10 sampled requests. Setting the value to 100 impacts performance. (Note: The parameter name is misleading, as the variable does not relate to CPU load.)

Fix Information

Issue is mitigated in this release. The policies get learned slower in 14.0.x and later, on systems with a high load of legal traffic and many policies. What took an hour to learn in previous versions might take several hours. You can use the internal parameter, pb_sampling_high_cpu_load, to adjust this. (Note: The parameter name is misleading, as the variable does not relate to CPU load.)

Behavior Change