Measure CPS practically

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Measure CPS practically

L3 Networker

Hi Guys,

We have PAN VM 300. To implement Zone Protection, we want to measure CPS. Now we dont have Panorama and dont do firewall monitoring with any tool.

Now the admin guide suggests that:

  • Use third-party tools such as Wireshark or NetFlow to collect and analyze network traffic.
  • Use scripts to automate CPS information collection and continuous monitoring, and to mine information from the logs.

These statements are a bit vague and there are no further steps / description.

 

Has anyone done this? Is there any further information / steps which can help me measure CPS efficiently?

 

Thanks!

7 REPLIES 7

Cyber Elite
Cyber Elite

@rjdahav163,

So generally I use SNMP to read the MIB values for the active TCP UDP and OtherIP values, because honestly this is going to be easiest. There are plenty of free tools available, regardless of operating system, that will let you pull these via SNMP and setup polling. You absolutely don't need to spend any money to do this. You could automate collection of the same values via the API or Python or whatever, but based off of your question I'm going to assume that this is off the table. 

 

The thing to remember with ZP or DoS profiles is that you don't actually need to get it right first time go; take an educated guess and work off of that. Set the Alarm Rate on everything to what you think would actually be a reasonable amount; and then kick up the Activate and Maximum values to something you know you'll never hit in a million years. 

When the Alarm Rate is hit, it will generate a threat log entry with the subtype of flood. As long as you don't hit your Activate or Maximum values, nothing adverse is going to happen. Utilize these alerts to fine tune what your realistic values need to actually be for the Alarm rate. Once you have the alarm rate nailed down, then adjust your Activate and Maximum values using your Alarm rate as a baseline.  

Not sure if this is still being updated/supported, but you can try the Pan(w)achrome Chrome plugin.

@BPry 

 

Thanks for your response.

 

Ok I am trying to use our SNMP tool with the OID 1.3.6.1.4.1.25461.2.1.2.3.10 for PanZoneActiveTcpCps.

Similarly other for other two PanZoneActiveUdpCps and PanZoneOtherIpCps.

 

What OIDs did you use?

 

Thanks!

@jambulo - Thanks will try that out as well.

Any idea here guys?

 

@BPry ?

@rjdahav163,

You'll want to do a MIB walk to get the other OID values. 

Where can I see alarm log when the CPS is reach at Alarm rate ?   

Monitor > logs > threat ? or Monitor > logs > Alarm ?

 

If we have same value at Alarm and Activate and We have set to RED , then After CPS are reached at value , we will got alarm trigger log and then all packets are drop including all legitimate packets ?

 

Am I right ?

 

 

  • 6752 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!