Measure CPS practically

Reply
Highlighted
L3 Networker

Measure CPS practically

Hi Guys,

We have PAN VM 300. To implement Zone Protection, we want to measure CPS. Now we dont have Panorama and dont do firewall monitoring with any tool.

Now the admin guide suggests that:

  • Use third-party tools such as Wireshark or NetFlow to collect and analyze network traffic.
  • Use scripts to automate CPS information collection and continuous monitoring, and to mine information from the logs.

These statements are a bit vague and there are no further steps / description.

 

Has anyone done this? Is there any further information / steps which can help me measure CPS efficiently?

 

Thanks!

Highlighted
Cyber Elite

Re: Measure CPS practically

@rjdahav163,

So generally I use SNMP to read the MIB values for the active TCP UDP and OtherIP values, because honestly this is going to be easiest. There are plenty of free tools available, regardless of operating system, that will let you pull these via SNMP and setup polling. You absolutely don't need to spend any money to do this. You could automate collection of the same values via the API or Python or whatever, but based off of your question I'm going to assume that this is off the table. 

 

The thing to remember with ZP or DoS profiles is that you don't actually need to get it right first time go; take an educated guess and work off of that. Set the Alarm Rate on everything to what you think would actually be a reasonable amount; and then kick up the Activate and Maximum values to something you know you'll never hit in a million years. 

When the Alarm Rate is hit, it will generate a threat log entry with the subtype of flood. As long as you don't hit your Activate or Maximum values, nothing adverse is going to happen. Utilize these alerts to fine tune what your realistic values need to actually be for the Alarm rate. Once you have the alarm rate nailed down, then adjust your Activate and Maximum values using your Alarm rate as a baseline.  

Highlighted
L4 Transporter

Re: Measure CPS practically

Not sure if this is still being updated/supported, but you can try the Pan(w)achrome Chrome plugin.

Highlighted
L3 Networker

Re: Measure CPS practically

@BPry 

 

Thanks for your response.

 

Ok I am trying to use our SNMP tool with the OID 1.3.6.1.4.1.25461.2.1.2.3.10 for PanZoneActiveTcpCps.

Similarly other for other two PanZoneActiveUdpCps and PanZoneOtherIpCps.

 

What OIDs did you use?

 

Thanks!

L3 Networker

Re: Measure CPS practically

@jambulo - Thanks will try that out as well.

Highlighted
L3 Networker

Re: Measure CPS practically

Any idea here guys?

 

@BPry ?

Highlighted
Cyber Elite

Re: Measure CPS practically

@rjdahav163,

You'll want to do a MIB walk to get the other OID values. 

Highlighted
L1 Bithead

Re: Measure CPS practically

Where can I see alarm log when the CPS is reach at Alarm rate ?   

Monitor > logs > threat ? or Monitor > logs > Alarm ?

 

If we have same value at Alarm and Activate and We have set to RED , then After CPS are reached at value , we will got alarm trigger log and then all packets are drop including all legitimate packets ?

 

Am I right ?

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!