I update my firmware from 8.1.10 to 9.0.5
now I can bring my 5220 to its knees with my mailist run
So email consist of pdf attachment - approxy 3M. but about 4K emails all around the same time
This wasn't a problem before on the 8.1.10 .. but on 9.0.5 cpu hits 100% and my latency through the box goes from <1ms to 2-3s+ which makes things crash 😞
I have put in a rule for my maillist server to no longer be content checked, but, I don't want to allow that for all email, I wouldn't mind ratelimiting it from the PA side of things, else somebody could crash my network by sending lots of email with large attachments to me !
Can I ratelimit 1 app or how can i get back to the same behaviour I had under 8.1.10
NOTE - sory original put in 5020 - fat finger mistake - 5220
In your case, Packet Buffer Protection (PBP) should work, and it will protect your OSPF connections. I had many cases under high CPU spikes, and Zone Protection & DoS Protection didn't really help in my cases (probably, in your case as well.)
My engineering generates aggressive traffic sometimes, and it easily spikes up high CPU on the firewall. It's impossible to control or rate limit it because they use this protocol today, but later they may use other protocols or applications.
Even if your case is a bug, you can only delay the situation by upgrading the PAN-OS. The high CPU event could be happening later by other protocols or applications.
I'm happy with the PBP solution since I applied it. Because it protects the firewall and never reaches 100% CPU usage.
Here is the link for PBP.
my only problem with all of these protections is are they are based upon number of connections or number of byte or flow rate.
Thinks that don't corrolate to threat detection.
I still think the best thing is to say threat protection can only use 80% of cpu ....
from what I read about PBP
When packet buffer consumption reaches the configured
works on the amount of traffic coming in - which might not relate to the amount of work threat protection has to do !
Thats very interesting. So ... forgive me I might use the wrong words. But I believe the CPU was at 100% across all the cpu - left no head room to process any packets for other things like OSPF heartbeats or BFD . etc etc.
I believe support said this was a 9.0.x thing.
So we had 4k emails ... some some text and a PDF . that would send out at the end of day. not a problem with 8.1.x or 8.0.x
But 9.0.x shat itself. so I took emails of the threat protection path .. I think thats silly. but I have no way to mitigate the problem with out rate limiting down to almost 0..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!