Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
10-12-2017 10:52 PM - edited 10-12-2017 10:52 PM
I have a PAN 200 at sales office, I have temp deny policy in place as I saw huge traffic (Genetec Traffic) from/to a specific destination/source.
But I still see High CPU causing the Firewall to Reboot and which triggered Site Down Alerts( Downstream device lost connection).
Does the Deny Policy for huge traffic (Number of Packets or Size of traffic) cause CPU Utilization by any means?
10-18-2017 06:46 AM
You can not specify IPs in Zone Protection, that would be a DoS policy configuration instead of Zone Protection policy.
10-13-2017 12:30 AM - edited 10-13-2017 12:30 AM
Hi @sandeep.paul,
In short, yes it does.
It's far less CPU consuming to block the traffic before checking policy.
For example with zone-protection or dos-protection.
Cheers,
-Kiwi.
10-13-2017 09:16 AM
10-13-2017 09:17 AM
10-14-2017 07:59 PM
I'm not sure if it's directly documented everywhere. Just from a get go through the processing goes in different steps, so zone protection and DOS policies are monitored prior to the secuirty policies when you look at how the traffic is actually processed. The quicker you can have your firewall drop any traffic that would get denied the better from a processing standpoint.
If you have a large amount of traffic (lets say a DoS attack) that sits there and hammers a deny rule within your security policies, it would be much better from a processing standpoint to have that traffic get blocked by a DoS profile or a zone protection profile then actually making it to the security policy, as it has to process far fewer things in that scenario.
10-17-2017 07:21 PM
FYI DoS mitigation in Zone Protection uses less resources than DoS Protection policy.
10-18-2017 02:47 AM - edited 10-18-2017 02:47 AM
Thanks Raido,
Let's say specific IP traffic to be mitigated through Zone protection, can we do it on PA?
10-18-2017 06:46 AM
You can not specify IPs in Zone Protection, that would be a DoS policy configuration instead of Zone Protection policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
