topic Re: Palo Alto and Duplicate Packets in General Topics https://live.paloaltonetworks.com/t5/general-topics/palo-alto-and-duplicate-packets/m-p/41389#M30422 <HTML><HEAD></HEAD><BODY><P>I think thats expected behaviour regarding volume counting.</P><P></P><P>I mean thats what I would expect it to do if the PA box were in inline mode (lets say vwire).</P><P></P><P>TCP session 1 sends packets (lets say 100 bytes each): 1, 2, 3, 4, 5, 6 = 600 bytes in total and 6 packets.</P><P></P><P>TCP session 2 sends packets (duplicates): 1, 1, 2, 2, 3, 3 = also 600 bytes in total and 6 packets which has pass the unit.</P><P></P><P>Otherwise I think you would also end up with broken stats like regarding bandwidth utilization.</P><P></P><P>Lets say someone tries to DDoS your setup and send the very same packet 1953125 of them per second (64 byte packets). This would fill up your 1Gbit/s link and I would expect the PA device to show just this that the bandwidth consumed is 1Gbit/s and not 512 bit/s.</P></BODY></HTML> Fri, 16 Nov 2012 08:59:42 GMT mikand 2012-11-16T08:59:42Z Palo Alto and Duplicate Packets https://live.paloaltonetworks.com/t5/general-topics/palo-alto-and-duplicate-packets/m-p/41388#M30421 <HTML><HEAD></HEAD><BODY><P>How does Palo Alto handle Duplicate Packets? In our scenario, we have one interface running in TAP mode.&nbsp; We are using a port aggregator to shove spans/taps from multiple locations in our network to this one TAP mode interface.&nbsp; Doing this, the PA should be receiving duplicate packets when the stream of data flows past 2(or more) of the spans/taps that we have in place.&nbsp; Looking at the logs, the PA doesn't look like it creates duplicate log entries, but I have a feeling it may be taking those duplicate packets and adding the "Bytes" and "Packets" data ON TOP of the original session data in the traffic log.</P></BODY></HTML> Thu, 15 Nov 2012 16:50:34 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-and-duplicate-packets/m-p/41388#M30421 jambulo 2012-11-15T16:50:34Z Re: Palo Alto and Duplicate Packets https://live.paloaltonetworks.com/t5/general-topics/palo-alto-and-duplicate-packets/m-p/41389#M30422 <HTML><HEAD></HEAD><BODY><P>I think thats expected behaviour regarding volume counting.</P><P></P><P>I mean thats what I would expect it to do if the PA box were in inline mode (lets say vwire).</P><P></P><P>TCP session 1 sends packets (lets say 100 bytes each): 1, 2, 3, 4, 5, 6 = 600 bytes in total and 6 packets.</P><P></P><P>TCP session 2 sends packets (duplicates): 1, 1, 2, 2, 3, 3 = also 600 bytes in total and 6 packets which has pass the unit.</P><P></P><P>Otherwise I think you would also end up with broken stats like regarding bandwidth utilization.</P><P></P><P>Lets say someone tries to DDoS your setup and send the very same packet 1953125 of them per second (64 byte packets). This would fill up your 1Gbit/s link and I would expect the PA device to show just this that the bandwidth consumed is 1Gbit/s and not 512 bit/s.</P></BODY></HTML> Fri, 16 Nov 2012 08:59:42 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-and-duplicate-packets/m-p/41389#M30422 mikand 2012-11-16T08:59:42Z