Nimbostratus
AltostratusHi,
we are runnning 3900s boxes (LTM+ASM).
If you don't need Data Guard by business, let it off. Same thing to all other settings. i.e. if you have a firewall in front with DOS protection, you don't need to turn it on in ASM. It depends on your network design.
...the reason for your high cpu...it depends ;-) There can be so many reasons. Do you run a lot of ssl traffic? Do you use big ssl keys (2048 and bigger)? How much traffic? Do you use a lot of xml traffic?
v11 needs a little bit more power than v10, but it needs much more memory - says f5.
Memory allocation is really importend and can result in high cpu of the system or swapping.
Does your system swap memory?
The problem is, if you are running LTM&ASM on one system, you can't see detailed informations about the memory allocation.
i.e. we have only about 70mb really free memory in our 3900. But if I calculate, I get much more free memory. :-)
I don't know the size of your environment, but the 3600 has only 4GB memory. Perhaps, you should think about a bigger system, like a 3900 (8GB) or better a 4000v (16gb).
If you have a lot of policies, you can think about a bigger system behind the 3600. So you only run LTM on 3600 and ASM on a 3900 or 4000v.
But again, it all depends on your network design!
Selection of policies: you should select all necessary policies :-)
i.e. you have java application running on a linux apache server, which use a mysql DB and there is a little bit xml traffic, you select Java, Linux, Mysql, xml signatures. A base signature set is allways selected.
You don't have to select all the DB you are running in your environment. Only the one, used by your application.
regards