We have PAN VM 300. To implement Zone Protection, we want to measure CPS. Now we dont have Panorama and dont do firewall monitoring with any tool.
Now the admin guide suggests that:
These statements are a bit vague and there are no further steps / description.
Has anyone done this? Is there any further information / steps which can help me measure CPS efficiently?
So generally I use SNMP to read the MIB values for the active TCP UDP and OtherIP values, because honestly this is going to be easiest. There are plenty of free tools available, regardless of operating system, that will let you pull these via SNMP and setup polling. You absolutely don't need to spend any money to do this. You could automate collection of the same values via the API or Python or whatever, but based off of your question I'm going to assume that this is off the table.
The thing to remember with ZP or DoS profiles is that you don't actually need to get it right first time go; take an educated guess and work off of that. Set the Alarm Rate on everything to what you think would actually be a reasonable amount; and then kick up the Activate and Maximum values to something you know you'll never hit in a million years.
When the Alarm Rate is hit, it will generate a threat log entry with the subtype of flood. As long as you don't hit your Activate or Maximum values, nothing adverse is going to happen. Utilize these alerts to fine tune what your realistic values need to actually be for the Alarm rate. Once you have the alarm rate nailed down, then adjust your Activate and Maximum values using your Alarm rate as a baseline.
Thanks for your response.
Ok I am trying to use our SNMP tool with the OID 184.108.40.206.4.1.254220.127.116.11.3.10 for PanZoneActiveTcpCps.
Similarly other for other two PanZoneActiveUdpCps and PanZoneOtherIpCps.
What OIDs did you use?
Where can I see alarm log when the CPS is reach at Alarm rate ?
Monitor > logs > threat ? or Monitor > logs > Alarm ?
If we have same value at Alarm and Activate and We have set to RED , then After CPS are reached at value , we will got alarm trigger log and then all packets are drop including all legitimate packets ?
Am I right ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!