topic Re: CPS calculation per server in General Topics

CPS calculation per server

raji_toor — Mon, 30 Nov 2020 18:01:02 GMT

'Log at Session End, captures the number of connections at the session end."

I am little confused by this statement. How does 'Log at Session End' help in calculating CPS for a server.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html

And what other method can I specifically use on the firewall for CPS calculation for a specific server.

Re: CPS calculation per server

BPry — Tue, 01 Dec 2020 00:13:46 GMT

@raji_toor,

If all of your session traffic is logged you can get a rough idea of what your traffic stats are for a given host or just in general. I would recommend just filtering the session info for a given server and scripting an automated pull of the information on a regular basis to form a longer average. Netflow or a PCAP is always going to be the most accurate method of determine traffic stats tough.

Keep in mind that you can always use the 'alert' value and adjust from there to narrow in on what your activate and maximum values actually need to be.

Re: CPS calculation per server

Marianaa — Tue, 01 Dec 2020 04:58:06 GMT

Guys, so this is a question I've had for quite a while. Like what's the best way to get connection per second counts? What should the settings on scan protection be? Why do the firewalls not always identify known scans?

I've actually worked for Palo Alto for some time and was never able to get good answers to this. Can any one of you help me out, as it's becoming really relevant to me now? Thanks

Re: CPS calculation per server

StevenKnight — Wed, 02 Dec 2020 06:21:53 GMT

Thanks for the information.. . . tell pizza hut

Re: CPS calculation per server

raji_toor — Tue, 01 Dec 2020 15:18:31 GMT

@BPry I have setup netflow with PRTG but not sure what I am looking for in here that can give me the numbers to use for in the DoS profile.

Screenshot from Top Connections

Also I can script it as well but what do I do with this. Do I count the number of sessions to the server at regular interval for this output.

show session all filter destination X.X.X.129

--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
1368583 ssl ACTIVE FLOW ND 113.173.225.13[51541]/EXTERNAL/6 (113.173.225.13[51541])
vsys1 X.X.X.129[443]/DMZN (192.168.8.30[443])
140406 ssl ACTIVE FLOW ND 209.121.37.106[52465]/EXTERNAL/6 (209.121.37.106[52465])
vsys1 X.X.X.129[443]/DMZN (192.168.8.30[443])
1381933 ssl ACTIVE FLOW ND 96.48.142.40[60647]/EXTERNAL/6 (96.48.142.40[60647])
vsys1 X.X.X.129[443]/DMZN (192.168.8.30[443])
1594610 ssl ACTIVE FLOW ND 50.98.173.15[61753]/EXTERNAL/6 (50.98.173.15[61753])
vsys1 X.X.X.129[443]/DMZN (192.168.8.30[443])
3862404 ssl ACTIVE FLOW ND 50.68.197.84[55053]/EXTERNAL/6 (50.68.197.84[55053])

Re: CPS calculation per server

raji_toor — Wed, 02 Dec 2020 16:59:37 GMT

So I found this(https://github.com/zepryspet/GoPAN) to pull zone based CPS stats using snmp and I was also able to map this SNMP in PRTG as well.

But pulling data using GoPan gave more data than PRTG as poll interval is much faster for GoPan. I have to manually sort data though

I still don't get how netflow is usefull, all I see is bandwidth for HTTPS on filtering for the particular server.

@BPry or someone else can suggest what i should be doing for sever CPS calculation

Re: CPS calculation per server

Sec101 — Fri, 10 Sep 2021 02:20:59 GMT

Panorama has a CPS monitor built in- but that monitors CPS for the entire firewall not for the zone in question.