https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/271565#M74841 <P>Hi Otakar,</P><P>&nbsp;</P><P><SPAN>When we enabled our LAN interface to be part of multicasting&nbsp; other IP flood threats get started and same is drops in zone protection in critical category and which also spike up my data plane CPU by 10 %</SPAN></P><P>&nbsp;</P><P><SPAN>Also we removed zone protection from LAN zone and enabled multicast , then our firewall goes on toss i.e. it disturb my CPU as well as other protocol like BGP.</SPAN></P><P>&nbsp;</P><P><SPAN>In customer environment they have configured Dos policy from WAN to LAN zone, and also Zone protection profile for LAN zone as well as WAN zone ..?? (Is this a recomended way for using both Dos and Zone protection profile ?)</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Sethupathi M</SPAN></P> Thu, 20 Jun 2019 07:11:07 GMT Sethupathi 2019-06-20T07:11:07Z https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/270508#M74720 <P>Hi Team,</P><P>&nbsp;</P><P><SPAN>we have done multicast configuration and we are unable to receive multicast through firewall PA-3060. Also whenever we did add our LAN interface into multicast configuration “ other IP flood” critical threat gets started into that particular LAN as shown below. Kindly help me to resolved the same.</SPAN></P><P>&nbsp;</P><P><SPAN>Scenario as below,</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1st network diagram.png" style="width: 710px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20402i2C215543E6621157/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1st network diagram.png" alt="1st network diagram.png" /></span></P><OL><LI><SPAN>Requirement as per diagram: PA-3060 WAN interface should receive multicast traffic via ae1.3013 interface and should forward the same to LAN subnet i.e.ae2.3 interface</SPAN></LI></OL><P><EM><FONT color="#339966">As per above scenario which interface should I add the RP typeae1.3013 or ae2.3 ..??</FONT></EM></P><P>&nbsp;</P><OL><LI><SPAN>We have done following configuration.</SPAN></LI></OL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2nd.png" style="width: 666px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20403iE6C18A167F6E8164/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2nd.png" alt="2nd.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3rd.png" style="width: 699px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20406iACA75A63FDAAFE9E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="3rd.png" alt="3rd.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4th.png" style="width: 691px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20405iFD0879D0874A0E5C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="4th.png" alt="4th.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="5th.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20404i2D5CE974BBE60FB2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="5th.png" alt="5th.png" /></span></P><P>&nbsp;</P><OL><LI><SPAN>Whenever we did configure ae2.3 in multicast configuration other IP flood started in OFT-LAN subnet and dataplane CPU spike up.</SPAN></LI></OL><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="6th.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20408i8FC87D20E39AAC3C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="6th.png" alt="6th.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="7th.png" style="width: 707px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20409iE9A3738932375F59/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="7th.png" alt="7th.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="8th.png" style="width: 316px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20407i19C3BA7F59AE012D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="8th.png" alt="8th.png" /></span></SPAN></P><P>&nbsp;</P><P><FONT color="#339966"><EM>Should I increes the SYN alarm rate or disable the SYN in zone protection here? (IS THAT CORRECT?)</EM></FONT></P><P>NOTE: we have&nbsp;PA-3060 modal with PAN-OS&nbsp;8.0.16</P><P>&nbsp;</P><P>Could you please provide your valuable suggestion here to fix an issue.</P><P>&nbsp;</P><P>Regards,</P><P>Sethupathi M</P> Mon, 17 Jun 2019 11:12:08 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/270508#M74720 Sethupathi 2019-06-17T11:12:08Z https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/270538#M74724 <P>Hi Team,</P><P>&nbsp;</P><P>Can anyone provide your valuable suggestion here please.</P><P>&nbsp;</P><P>Regards,</P><P>Sethupathi M</P> Mon, 17 Jun 2019 13:52:29 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/270538#M74724 Sethupathi 2019-06-17T13:52:29Z https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/270856#M74768 <P>Hi Team,</P><P>&nbsp;</P><P>Can anyone help us here, The DOS Protection&nbsp; profile is configured form WAN Zone to LAN Zone, And Zone protection profile is configured for LAN Zone. Is that a cause its getting an Other IP Flood.</P><P>&nbsp;</P><P>Regards,</P><P>Sethupathi M</P> Tue, 18 Jun 2019 11:11:03 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/270856#M74768 Sethupathi 2019-06-18T11:11:03Z https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/270933#M74779 <P>Hello,</P><P>Try disabling the Zone protection profile and see if that helps, since its on the internal zone (its usually on the external but internal is not wrong either).</P><P>&nbsp;</P><P>If it helps then its the zone protection profile causing the issue and you just need to make adjustments there.</P><P>&nbsp;</P><P>Regards,</P> Tue, 18 Jun 2019 14:35:03 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/270933#M74779 OtakarKlier 2019-06-18T14:35:03Z https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/271565#M74841 <P>Hi Otakar,</P><P>&nbsp;</P><P><SPAN>When we enabled our LAN interface to be part of multicasting&nbsp; other IP flood threats get started and same is drops in zone protection in critical category and which also spike up my data plane CPU by 10 %</SPAN></P><P>&nbsp;</P><P><SPAN>Also we removed zone protection from LAN zone and enabled multicast , then our firewall goes on toss i.e. it disturb my CPU as well as other protocol like BGP.</SPAN></P><P>&nbsp;</P><P><SPAN>In customer environment they have configured Dos policy from WAN to LAN zone, and also Zone protection profile for LAN zone as well as WAN zone ..?? (Is this a recomended way for using both Dos and Zone protection profile ?)</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Sethupathi M</SPAN></P> Thu, 20 Jun 2019 07:11:07 GMT https://live.paloaltonetworks.com/t5/general-topics/question-about-multicast-not-receiving-ip-flood-urgent-action/m-p/271565#M74841 Sethupathi 2019-06-20T07:11:07Z