Adjust performance for mirrored traffic

Because mirroring traffic can impact your network performance, it is best practice to set one or all of the following performance adjustments on the Mirror Destination and Source Airwall Gateways to mitigate the performance impact.

Here are the performance adjustments you can make:

Snap length

Specify that when mirroring traffic, a Mirror Source Airwall Gateway should only copy this many bytes of the original packet. You can use this setting to get “headers only” with a small value (~64 bytes), and/or avoid fragmentation with a larger value (~1000 bytes). Specifying a full Ethernet frame size of 1514 bytes will avoid truncating packets (if you are using 802.1q VLAN tags or jumbo frames you will need to increase this value), but results in fragmenting every full-size mirrored packet, doubling the number of packets which must be processed.

Rate limits

Set a rate limit for mirrored traffic. This limit is only applied to the mirrored copy of the traffic. It is a best practice to configure a rate limit to limit the performance impact of using mirroring so you do not negatively impact other traffic secured by the Airwall Gateway. This limit also protects against misconfigurations where the mirrored traffic itself is mirrored, resulting in infinitely mirroring the same packet.

As a starting point, here are some recommended values to not significantly impact existing traffic, based on the relative performance for specific Airwall Gateway models:

Airwall Gateway model Suggested Rate Limit
100 1 Mb/s
110 3 Mb/s
75 5 Mb/s
150 10 Mb/s
250 15 Mb/s
300v 20-100Mb/s
500 100 Mb/s
Note: You may want to set these limits lower, depending on your network bandwidth, particularly if your network connection is metered, as with a cellular provider.

When setting rate limits, also consider the performance of the Mirror Destination Airwall Gateway, the packet analyzer, and network connection between these Airwall Gateways.

BPF Filters

You can select which traffic is mirrored by specifying a BPF filter. If no filter is specified, all traffic is mirrored. By default, Mirror Source Airwall Gateways use the BPF filters specified on the Mirror Destination Airwall Gateway. You can override this default by setting different filters on any of the Mirror Source Airwall Gateways. BPF filters will filter mirrored traffic to specific protocols using BPF filter expressions. For information on the BPF filters most helpful for port mirroring, see BPF Settings for Port Mirroring.