I am a newbie to the Pan-OS and would like to fine tune the Zone Protection profile - Syn flood settings, etc. based on our average peak traffic (packets per second). What is the easiest way to determine the average peak packets per second?
You will get the packet rate from CLI command:
admin@PAN> show session info | match rate
Packet rate: 4/s >>>>>>>>>>>>>>>
New connection establish rate: 0 cps
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Pcap token bucket rate : 10485760
You can use the ACC report to get traffic trend through your PAN firewall ( based on session, Byte,Threat).
Protection profile settings apply to the ingress zone (i.e. the zone where traffic enters the firewall). Zone protection settings apply to all interfaces within the zone for which the profile is configured.:
For your reference:
Note: Zone protection is only enforced when there is no session match for the packet. If the packet matches an existing session, it will bypass the zone protection setting.
Thanks for the tip!
So, if my packet rate hovers between 200-800 s , is it safe to assume that the defaults of 10,000 in Zone Protection profile are too high of threshold? What would be ideal?
I do agree that 10,000 packet/sec would be high compared to the current packet rate. But, also I would recommend you to take a statistics of packet rate for last 7 days and accordingly configure a safe limit on your production PAN firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!