topic Re: Zone Protection CPS Calculations - Make ZERO sense in General Topics

Zone Protection CPS Calculations - Make ZERO sense

johnlinkowsky — Wed, 16 Jun 2021 21:06:43 GMT

I have been collecting CPS (total, TCP, UDP, IP) via OIDs using PRTG for ~6 weeks. I have all the data I need (I think). However, the DoS Zone Protection best practice documentation leaves a LOT to be desired as it's not clear.

If anyone has tried to setup zone protection (SYN, UDP, IP, etc.) flood protection, and understand HOW to actually calculate the proper CPS for: Alarm, Activate, Maximum settings please explain the following:

Alarm Rate —Set 15-20% above the average zone CPS rate to accommodate normal fluctuations.
* This I believe I have, as I used the total CPS + 20% higher
Activate —Set just above the zone’s peak CPS rate to begin dropping connections to mitigate floods.
* What does this even mean?? What is "just above" the zones peak CPS rate? Peak rate per day? Per hour? Per decade? Per what?? Makes zero sense.

Maximum —Set to 80-90% of firewall capacity. Account for other resource-consuming features. Crossing this threshold blocks new connections until the CPS rate falls below the threshold.

* How do we figure out the FW capacity?? PA5280 - what is the Maximum FW capacity of what? CPS? The only settings for each FW are: Maximum Sessions, and New Connections per second

Also - the activate MUST be different for UDP, IP, ICMP, etc. How are THOSE configured?

I hope someone has done this successfully and can share their wisdom, as the documentation and TAC isn't very helpful. They just provide the links to the documents about best practices, etc. Not helpful.

Thank you.

Re: Zone Protection CPS Calculations - Make ZERO sense

S.Cantwell — Thu, 17 Jun 2021 14:29:18 GMT

Hi there

Let's take a look at this screen capture

You stated that you have been collecting information. Great. What is the lowest CPS, what is average, and what is the highest CPS.

If you are able to answer these questions, then you should be able to determine

HOW MANY CONNECTIONS DO YOU WANT TO HAVE INBOUND TO YOUR FW?. And when do you want to limit if that number increases.

You asked about the Activate number. How many CPS (not per day, per week, month.. but per second).... how many connection per second do you want being allowed by the FW.

As for UDP traffic. Do you have much coming inbound from the Internet? Is this the area you need to focus on?

Or will it be TCP/IP, in which Syn Cookies is what you want. A client MUST provide a 3 way handshake to make a connection. So do you want to allow 1000 unanswered SYNs (known as Syn Floods) before you start to drop/restrict.

My suggestion is that you go into the Beacon training website (beacon.paloaltonetworks.com) and look at PANW 110 module on "block packet attacks" module to assist you.

Thanks

Re: Zone Protection CPS Calculations - Make ZERO sense

johnlinkowsky — Mon, 21 Jun 2021 19:47:51 GMT

Thank you for the reply @S.Cantwell . However, many of these questions cannot be answered.

How many connections do I want inbound? - As many as needed that are legitimate. There is no way to answer this, as traffic increases/decreases all the time.
How many CPS do I want being allowed by the FW? - Again, as many as needed as long as they are legit. There is no 'set' number.
UDP traffic - is this an area that need to be focused on? - what does that mean? We don't want UDP flooding inbound to our FW.
I agree with the 3 way handshake. I'm not sure a 'good number' to allow before we start to drop it. How do we know what a 'good number' would be to set this with?

I will check out the Beacon module, as soon as my access to that site is fixed. Currently have a ticket open.

Thanks,

John L.

Re: Zone Protection CPS Calculations - Make ZERO sense

S.Cantwell — Mon, 21 Jun 2021 20:47:27 GMT

@johnlinkowsky

If you want, I am available for a zoom session. Just tell me when you want to chat and I will send you a Zoom link to discuss this. I am available after 3pm CST on a daily basis.

Thanks.

Re: Zone Protection CPS Calculations - Make ZERO sense

johnlinkowsky — Tue, 22 Jun 2021 20:25:55 GMT

Thank you @S.Cantwell - much appreciated.

I'm available tomorrow (6/23) at 4:30PM ET (3:30pm CT) if that works for you. I've been hounding my PA team about this, and they have not been able to find anyone who can explain this to me. They have admitted that they have poor resources on this topic.

I'll take any help I can get.

Thanks,

John L.

Re: Zone Protection CPS Calculations - Make ZERO sense

S.Cantwell — Tue, 22 Jun 2021 22:15:32 GMT

John,

send me a PM (and confirm your account is set up for PMs) and I will send you a zoom link