topic Re: Zone protection flood thresholds in Advanced Threat Prevention Discussions

Zone protection flood thresholds

dkordyban — Sun, 20 Jun 2021 12:33:30 GMT

I get ICMP and UDP flood alert messages from my external zone protection profile all the time. It does not seem to impact production - but not totally sure on that though.

We just have 1 - 5220, no Panarama. Anyone have any advise as to how best to collect CPS values for my environment or best practice baseline numbers I could plug in here to help prevent firewall performance degradation, but not too restrictive as to block legit traffic.

Thanks so much for your time.

Re: Zone protection flood thresholds

mivaldi — Mon, 21 Jun 2021 19:38:50 GMT

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds

Palo Alto Networks Professional Services can also assist with this task.

Re: Zone protection flood thresholds

dkordyban — Mon, 21 Jun 2021 20:23:34 GMT

Thanks for your response.

I think I will call in a support ticket. When I run show counter interface for my outside public DMZ interface all of the CPS counters show 0 or 2

Interface: ethernet1/4
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Physical port counters read from MAC:
--------------------------------------------------------------------------------
rx-broadcast 6850014
rx-bytes 80666157310
rx-multicast 187961
rx-unicast 88233605
tx-broadcast 51326
tx-bytes 40087463553
tx-multicast 0
tx-unicast 68106486
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Detailed physical port counters read from MAC:
--------------------------------------------------------------------------------
snmpBcmReceivedPkts1024to1518Octets 49439268
lines 1-21 snmpBcmReceivedPkts128to255Octets 17757018 lines 2-22
lines 3-22 snmpBcmReceivedPkts256to511Octets 4311305 lines 4-23
lines 5-23 snmpBcmReceivedPkts512to1023Octets 4452079 lines 6-24
lines 7-24 snmpBcmReceivedPkts64Octets 12371256 lines 8-25
lines 9-25 snmpBcmReceivedPkts65to127Octets 6940654 lines 10-26
lines 11-26 snmpBcmRxFecCorrectable 2945731321
snmpBcmRxFecUncorrectable 1152357450
snmpBcmTransmittedPkts1024to1518Octets 22063636
snmpBcmTransmittedPkts128to255Octets 7602117
snmpBcmTransmittedPkts256to511Octets 5070261
snmpBcmTransmittedPkts512to1023Octets 4083105
snmpBcmTransmittedPkts64Octets 20225490
snmpBcmTransmittedPkts65to127Octets 9113203
snmpBcmTransmittedUndersizePkts 52772
snmpDot1dTpPortInFrames 95271580
snmpDot1dTpPortOutFrames 68157812
snmpEtherStatsBroadcastPkts 6901340
lines 27-38 snmpEtherStatsMulticastPkts 187961
snmpEtherStatsOctets 120753620863
snmpEtherStatsPkts 163429392
snmpEtherStatsPkts1024to1518Octets 71502904
snmpEtherStatsPkts128to255Octets 25359135
snmpEtherStatsPkts256to511Octets 9381566
snmpEtherStatsPkts512to1023Octets 8535184
snmpEtherStatsPkts64Octets 32596746
snmpEtherStatsPkts65to127Octets 16053857
snmpEtherStatsRXNoErrors 95271580
snmpEtherStatsTXNoErrors 68157812
snmpIfHCInBroadcastPkts 6850014
lines 39-50 snmpIfHCInMulticastPkts 187961
snmpIfHCInOctets 80666157310
snmpIfHCInUcastPkts 88233605
snmpIfHCOutBroadcastPckts 51326
snmpIfHCOutOctets 40087463553
snmpIfHCOutUcastPkts 68106486
snmpIfInBroadcastPkts 6850014
snmpIfInMulticastPkts 187961
snmpIfInNUcastPkts 7037975
snmpIfInOctets 80666157310
snmpIfInUcastPkts 88233605
snmpIfOutBroadcastPkts 51326
snmpIfOutNUcastPkts 51326
snmpIfOutOctets 40087463553
lines 51-64 snmpIfOutUcastPkts 68106486
--------------------------------------------------------------------------------

Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 59921385220
bytes transmitted 35981034299
packets received 83423989
packets transmitted 58817672
receive incoming errors 0
receive discarded 0
receive errors 174
packets dropped 0
--------------------------------------------------------------------------------

Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 59921373488
bytes transmitted 35981034386
packets received 83423801
packets transmitted 58817673
receive errors 0
lines 65-86 packets dropped 458318
packets dropped by flow state check 90
forwarding errors 0
no route 0
arp not found 107603
neighbor not found 0
neighbor info pending 0
mac not found 0
packets routed to different zone 7233
land attacks 0
ping-of-death attacks 0
teardrop attacks 0
ip spoof attacks 0
mac spoof attacks 0
ICMP fragment 0
layer2 encapsulated packets 0
layer2 decapsulated packets 0
tcp cps 0
udp cps 0
sctp cps 0
other cps 0
--------------------------------------------------------------------------------

Re: Zone protection flood thresholds

dkordyban — Fri, 25 Jun 2021 14:45:50 GMT

I've been told by support that running "show session info" - Number of active TCP sessions, Number of active UDP sessions, Number of active ICMP sessions periodically over 30 days will give accurate data for configuring zone protection profiles. We have all of our L3 networks terminated on the firewall.

The output is not broken down by interface. My zone protection profile is only applied to DMZ - public facing interface. Any know how I could get accurate CPS info for just one interface (DMZ)

Thanks

Re: Zone protection flood thresholds

mivaldi — Fri, 25 Jun 2021 18:40:34 GMT

Here's another resource that can be helpful:

https://github.com/gogasvig/cpsmine

Re: Zone protection flood thresholds

Gaeta589 — Mon, 05 Jul 2021 09:22:44 GMT

In this example, you enable the zone-syn-flood protection screen option and set set security screen ids-option zone-syn-flood tcp syn-flood source-threshold.

Walgreenslistens

Re: Zone protection flood thresholds

Sec101 — Sat, 11 Sep 2021 02:18:26 GMT

show counter interface (interface name here)---view the cps--- and divide that number by two (apparently that shows twice the actual rate). Do this with each interface in the given zone that you have, and then add them up- that is your cps- the number you can use as a baseline to start with your zone protection for the alert rate ( give or take 10%)

Take alert rate and add 10-20% for activate rate.

take activate rate and add 20-30% for max rate-careful with this.

Running a show session info shows the entire firewall and I'm not sure why some of the documentation hasn't addressed this when a zone could cover 1 or multiple interfaces, not a single zone.