https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/182446#M56192 <P>FYI DoS mitigation in Zone Protection uses less resources than DoS Protection policy.</P> Wed, 18 Oct 2017 02:21:36 GMT Raido_Rattameister 2017-10-18T02:21:36Z https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181655#M56067 <P>I have a PAN 200 at sales office, I have temp deny policy in place as I saw huge traffic (Genetec Traffic) from/to a specific destination/source.</P><P>But I still see High CPU causing the Firewall to Reboot and which triggered Site Down Alerts( Downstream device lost connection).</P><P>&nbsp;</P><P>Does the Deny Policy for huge traffic (Number of Packets or Size of traffic) cause CPU Utilization by any means?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 13 Oct 2017 05:52:49 GMT https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181655#M56067 sandeep.paul 2017-10-13T05:52:49Z https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181686#M56069 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/73435">@sandeep.paul</a>,</P> <P>&nbsp;</P> <P>In short, yes it does.</P> <P>&nbsp;</P> <P>It's far less CPU consuming to block the traffic&nbsp;before checking policy.&nbsp;</P> <P>For example with zone-protection or dos-protection.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> Fri, 13 Oct 2017 07:30:32 GMT https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181686#M56069 kiwi 2017-10-13T07:30:32Z https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181788#M56083 Thanks Kiwi, is it documented anywhere. Please let me know if you have any link. Fri, 13 Oct 2017 16:16:11 GMT https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181788#M56083 sandeep.paul 2017-10-13T16:16:11Z https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181789#M56084 You mean zone protection will not have traffic going through the policy? Fri, 13 Oct 2017 16:17:38 GMT https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181789#M56084 sandeep.paul 2017-10-13T16:17:38Z https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181907#M56100 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/73435">@sandeep.paul</a>,</P><P>I'm not sure if it's directly documented everywhere. Just from a get go through the processing goes in different steps, so zone protection and DOS policies are monitored prior to the secuirty policies when you look at how the traffic is actually processed. The quicker you can have your firewall drop any traffic that would get denied the better from a processing standpoint.&nbsp;</P><P>If you have a large amount of traffic (lets say a DoS attack) that sits there and hammers a deny rule within your security policies, it would be much better from a processing standpoint to have that traffic get blocked by a DoS profile or a zone protection profile then actually making it to the security policy, as it has to process far fewer things in that scenario.&nbsp;</P> Sun, 15 Oct 2017 02:59:54 GMT https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/181907#M56100 BPry 2017-10-15T02:59:54Z https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/182446#M56192 <P>FYI DoS mitigation in Zone Protection uses less resources than DoS Protection policy.</P> Wed, 18 Oct 2017 02:21:36 GMT https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/182446#M56192 Raido_Rattameister 2017-10-18T02:21:36Z https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/182506#M56209 <P>Thanks Raido,</P><P>&nbsp;</P><P>Let's say specific IP traffic to be mitigated through Zone protection, can we do it on PA?</P> Wed, 18 Oct 2017 09:47:48 GMT https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/182506#M56209 sandeep.paul 2017-10-18T09:47:48Z https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/182538#M56216 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/73435">@sandeep.paul</a>,</P><P>You can not specify IPs in Zone Protection, that would be a DoS policy configuration instead of Zone Protection policy.&nbsp;</P> Wed, 18 Oct 2017 13:46:26 GMT https://live.paloaltonetworks.com/t5/general-topics/does-policy-blocking-deny-huge-traffic-cause-high-cpu/m-p/182538#M56216 BPry 2017-10-18T13:46:26Z