Yes I've seen performance hits when servers are high traffic, dual NIC and have lots of rules enabled. The trick is to find out what the server does and tune the rules so they have the smallest impact.
Even though it is in test mode, it still has to process the rules as if it were in protect mode.
If these are limited service servers you could try some of the canned groups (clone them and test with the clones) to determine what the optimal setup is.
You could also approach it from from the other angle which is use only those policies that protect what you feel is the greatest risk and ignore the rest. That way the server is only processing rules you care about and can spend the rest of it's power doing it's job.
BTW, there is a way to disable the network shim with a registry mod but I don't believe it's encouraged or supported.
Hi .. I had issues with CSA 4.5 on TEST MODE . On this version the installation of Network shim was optional and so after experiencing several performance issues with many servers running FTP, HTTP, and exchange I ended up creating a new package without the Network Shim and re-deploying again. The performance problems went away afterwards. I would have suggested unistalling the Network shim but I was not aware that version 5.0 does not give you the option of not installing it .. :-(
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :