CPS calculation per server

Showing results for 
Show  only  | Search instead for 
Did you mean: 

CPS calculation per server

L4 Transporter
'Log at Session End, captures the number of connections at the session end." 
I am little confused by this statement. How does 'Log at Session End' help in calculating CPS for a server.
And what other method can I specifically use on the firewall for CPS calculation for a specific server.

Cyber Elite
Cyber Elite


If all of your session traffic is logged you can get a rough idea of what your traffic stats are for a given host or just in general. I would recommend just filtering the session info for a given server and scripting an automated pull of the information on a regular basis to form a longer average. Netflow or a PCAP is always going to be the most accurate method of determine traffic stats tough. 


Keep in mind that you can always use the 'alert' value and adjust from there to narrow in on what your activate and maximum values actually need to be. 

L0 Member

Guys, so this is a question I've had for quite a while. Like what's the best way to get connection per second counts? What should the settings on scan protection be? Why do the firewalls not always identify known scans?

I've actually worked for Palo Alto for some time and was never able to get good answers to this. Can any one of you help me out, as it's becoming really relevant to me now? Thanks

Thanks for the information.. . . tell pizza hut

@BPry  I have setup netflow with PRTG but not sure what I am looking for in here that can give me the numbers to use for in the DoS profile. 




Screenshot from Top Connections





Also I can script it as well but what do I do with this. Do I count the number of sessions to the server at regular interval for this output.


show session all filter destination X.X.X.129

ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
1368583 ssl ACTIVE FLOW ND[51541]/EXTERNAL/6 ([51541])
vsys1 X.X.X.129[443]/DMZN ([443])
140406 ssl ACTIVE FLOW ND[52465]/EXTERNAL/6 ([52465])
vsys1 X.X.X.129[443]/DMZN ([443])
1381933 ssl ACTIVE FLOW ND[60647]/EXTERNAL/6 ([60647])
vsys1 X.X.X.129[443]/DMZN ([443])
1594610 ssl ACTIVE FLOW ND[61753]/EXTERNAL/6 ([61753])
vsys1 X.X.X.129[443]/DMZN ([443])
3862404 ssl ACTIVE FLOW ND[55053]/EXTERNAL/6 ([55053])



So I found this(https://github.com/zepryspet/GoPAN) to pull zone based CPS stats using snmp and I was also able to map this SNMP in PRTG as well.

But pulling data using GoPan gave more data than PRTG as poll interval is much faster for GoPan. I have to manually sort data though


I still don't get how netflow is usefull, all I see is bandwidth for HTTPS on filtering for the particular server. 


@BPry or someone else can suggest what i should be doing for sever CPS calculation

Panorama has a CPS monitor built in- but that monitors CPS for the entire firewall not for the zone in question.  

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!