CPS calculation per server

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
raji_toor
L4 Transporter

CPS calculation per server

'Log at Session End, captures the number of connections at the session end." 
 
I am little confused by this statement. How does 'Log at Session End' help in calculating CPS for a server.
 
And what other method can I specifically use on the firewall for CPS calculation for a specific server.
BPry
Cyber Elite

@raji_toor,

If all of your session traffic is logged you can get a rough idea of what your traffic stats are for a given host or just in general. I would recommend just filtering the session info for a given server and scripting an automated pull of the information on a regular basis to form a longer average. Netflow or a PCAP is always going to be the most accurate method of determine traffic stats tough. 

 

Keep in mind that you can always use the 'alert' value and adjust from there to narrow in on what your activate and maximum values actually need to be. 

Marianaa
L0 Member

Guys, so this is a question I've had for quite a while. Like what's the best way to get connection per second counts? What should the settings on scan protection be? Why do the firewalls not always identify known scans?

I've actually worked for Palo Alto for some time and was never able to get good answers to this. Can any one of you help me out, as it's becoming really relevant to me now? Thanks

Tags (1)
StevenKnight
L0 Member

Thanks for the information.. . . tell pizza hut

raji_toor
L4 Transporter

@BPry  I have setup netflow with PRTG but not sure what I am looking for in here that can give me the numbers to use for in the DoS profile. 

 

image.png

 

Screenshot from Top Connections

 

image.png

 

 

Also I can script it as well but what do I do with this. Do I count the number of sessions to the server at regular interval for this output.

 

show session all filter destination X.X.X.129

--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
1368583 ssl ACTIVE FLOW ND 113.173.225.13[51541]/EXTERNAL/6 (113.173.225.13[51541])
vsys1 X.X.X.129[443]/DMZN (192.168.8.30[443])
140406 ssl ACTIVE FLOW ND 209.121.37.106[52465]/EXTERNAL/6 (209.121.37.106[52465])
vsys1 X.X.X.129[443]/DMZN (192.168.8.30[443])
1381933 ssl ACTIVE FLOW ND 96.48.142.40[60647]/EXTERNAL/6 (96.48.142.40[60647])
vsys1 X.X.X.129[443]/DMZN (192.168.8.30[443])
1594610 ssl ACTIVE FLOW ND 50.98.173.15[61753]/EXTERNAL/6 (50.98.173.15[61753])
vsys1 X.X.X.129[443]/DMZN (192.168.8.30[443])
3862404 ssl ACTIVE FLOW ND 50.68.197.84[55053]/EXTERNAL/6 (50.68.197.84[55053])

 

 

raji_toor
L4 Transporter

So I found this(https://github.com/zepryspet/GoPAN) to pull zone based CPS stats using snmp and I was also able to map this SNMP in PRTG as well.

But pulling data using GoPan gave more data than PRTG as poll interval is much faster for GoPan. I have to manually sort data though

 

I still don't get how netflow is usefull, all I see is bandwidth for HTTPS on filtering for the particular server. 

 

@BPry or someone else can suggest what i should be doing for sever CPS calculation

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!