For details on cookie usage on our site, read our Privacy Policy
All incoming TCP connections blocked for 5 minutes at random times.
- LIVEcommunity
- Discussions
- General Topics
- All incoming TCP connections blocked for 5 minutes at random times.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-01-2020 07:46 AM
At random times all TCP connections from the Internet are blocked (all ports and all IPs) for incoming traffic only. Websites, mail servers etc are not accessible from the Internet. UDP and ICMP are not affected. What could be causing this?
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-06-2020 01:28 PM
Have you tried increasing the thresholds under SYN Flood Protection then? How high is your firewall on resource utilization? I'm wondering if you might be able to use SYN Cookies instead of Random Early Drop action? Note that I have not tried this myself.
I'm also thinking that you might want to setup SNMP monitoring the DoS counters on the firewall. I recently tried to configure this, but have not had success yet.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-06-2020 01:43 PM
This article might help. I've been meaning to read it myself and figure out how to setup snmp monitoring for DoS.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOKCA0
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-06-2020 01:53 PM
I have increased the threshold from 100 to 500 under Reconnaissance per your suggestion. Will see if that makes a difference.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-06-2020 01:58 PM
I did not mean the threshold under Reconnaissance Protection. I mean the threshold under Flood Protection. The defaults are 10,000 fro Alarm Rate and Activate, and 40,000 for maximum connections/sec.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-06-2020 02:13 PM
Those are already pretty high. Alarm and active reates are 59,000. Maximum connections at 100,000.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-06-2020 04:12 PM
Example of SNMP monitoring. That being said, it is painful / somewhat manual to setup.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-04-2020 09:28 AM
Thanks to all who responded. I was finally able to resolve this problem by by changing zone protection for Untrust from SYN Cookies to Random Early Drop.
- PA-450 Internet Traffic stops after 15 minutes in General Topics
- Are logs lost when log discarded (queue full) increases? in General Topics
- "end" but no "start" log while session breakdown. logging set to start and end of session in General Topics
- Not using AppID but GP connections are denying on apps for 10 minutes before allowing traffic to work properly in GlobalProtect Discussions
- BGP Session flaps for every 3 minutes - PAN OS in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
