I have question related to both Zone and DoS Protection features.
I'm testing with PA-200 and PA-2050 by using following DoS tool.
I'm configuring this tool to generate lots of UDP packets in short time and see how CPU usage of dataplane goes.
I could find that CPU easily reaches 100% (I can confirm with 'show running resource-monitor second') and even Protection is working it still keeps 100% usage.
And also, my other traffics which should not affected by protection could not reaches to internet websites via PaloAlto until I stop the DoS tool and CPU goes down.
My thought is this is because detecting packets and dropping packets are handling on Security Processor.
If I'm correct, how can I decrease usage of CPU and keep dropping high rate packets, and make successful transaction for other traffics?
If I can't get good solution on PA-2000 and lower model, can I get better result if I use PA-3000 or PA-5000 series?
Yes it is natural that the CPU shoots up because the protection profile you have enabled on device is taking care of denying it so that the internal network is not affected. In this process the device is getting taxed and not the network and hence the rise seen.
In DOS we have a feature for Resource limitation. If we know that from certain source address we are getting excessive traffic and device CPU is shooting we can limit the number of sessions for them.
Below is a doc which explains on how threat prevention is made.
Thanks for your reply.
I tested two more cases.
One is completely denying my dos traffic by security policy and see how it goes.
The result was 100% CPU usage.
Another is allowing dos policy, but configured resource limit by 10.
It also reached to 100% CPU usage.
If your reply is correct, let say...for example: if PaloAlto device place in front of web bank system and if I attack this web site,
paloalto device would protect my attack by dos or zone protection, but CPU will reaches to 100%.
As a result, the web bank system will be protected, but nobody will be able to use the bank system until CPU goes down.
I think this is not good solution for dos protection. Don't you think?
We would like to know the nature of the traffic/dos attack being created and sent to the PAN based on that we can see what kind of flood it is and try to block that kind of traffic for certain time ( configurable under Floods ) so that for the rest of the time no traffic is expected from that source and the device would do good. To better understand and explain may be if you can open a case with us we would be glad to help you out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!