PA 5220 Packet Descriptor Max value

We have netflow configured in solar.

When i check the decrypt mirror port it is 10gig and i see no errors.

When you say below

The only thing effecting your descriptor count would be the additional buffer and descriptor allocation happening for your decrypt mirror configuration.

For this should i configure the netflow for the decrypt mirror port?

Regards

Mike

Also let me know what next step i can take to isolate this?

@MP18,

So I wouldn't get too hung up on the decrypt mirror port; I simply meant that to mean that you have increased load across your device and the additional load by configuring a decrypt mirror isn't helping things. 

You'll need to try and see exactly what is causing your traffic load to spike and if its legitimate traffic that needs to be processed or something behaving poorly; it's quite possible that at times your device is simply under stress, and if you still average below 80% I wouldn't be overly concerned about it unless it starts causing issues. 

To attempt to see what is flooding in while you notice the descriptor issue, you'll need to monitor what traffic is actually going across the device. Netflow certainly helps with that if you already have it configured, but you could also utilize the Chrome extension pan(w)achrome to see if you can spot where traffic is high to narrow down your search to a particular zone or interface so you have less information to search through.

What version of PAN-OS are you actually running; there have been plenty of software issues where you can see high descriptor counts due to bugs that you may be running into. 

It is always pleasure to read you posts.

We are running PAN OS 8.1.9.

For Company users  accessing Internet 

we have INT. and EXT. zone.  on each separate  physical interface 

We have one Internal Zone for our Corp Users and all Internet traffic for users flow via this.

Two separate Zone for Guest Internet traffic on separate  ISP connection.

Top used rule is Corp Internal users accessing internet  on port 80 and 443.

This rule is mostly used.

Any idea how can I narrow it down if I know the mostly used rule?

Also is it possible to get the email when Packet descriptor runs 100%

@MP18,

I don't believe that the descriptor hitting 100% is something you can get an email for at the moment; likewise knowing the rule doesn't really tell you anything about why your buffer and descriptor would be rising. You might want to reach out to support and see if there is any additional logging they can enable to tell you exactly what is using the available descriptors.

Here is last 7 days reports of Packet Descriptor

Resource utilization (%) during last 7 days:
session (average):
1 1 2 2 2 2 2
session (maximum):
1 2 3 3 3 4 3
packet buffer (average):
1 1 1 1 1 1 1
packet buffer (maximum):
8 7 6 82 3 26 9
packet descriptor (average):
0 0 0 1 1 1 1
packet descriptor (maximum):
1 2 3 5 5 4 5
packet descriptor (on-chip) (average):
3 3 4 4 4 4 4
packet descriptor (on-chip) (maximum):
100 100 99 100 60 100 91

Will check with out SE