11-15-2012 08:50 AM
How does Palo Alto handle Duplicate Packets? In our scenario, we have one interface running in TAP mode. We are using a port aggregator to shove spans/taps from multiple locations in our network to this one TAP mode interface. Doing this, the PA should be receiving duplicate packets when the stream of data flows past 2(or more) of the spans/taps that we have in place. Looking at the logs, the PA doesn't look like it creates duplicate log entries, but I have a feeling it may be taking those duplicate packets and adding the "Bytes" and "Packets" data ON TOP of the original session data in the traffic log.
11-16-2012 12:59 AM
I think thats expected behaviour regarding volume counting.
I mean thats what I would expect it to do if the PA box were in inline mode (lets say vwire).
TCP session 1 sends packets (lets say 100 bytes each): 1, 2, 3, 4, 5, 6 = 600 bytes in total and 6 packets.
TCP session 2 sends packets (duplicates): 1, 1, 2, 2, 3, 3 = also 600 bytes in total and 6 packets which has pass the unit.
Otherwise I think you would also end up with broken stats like regarding bandwidth utilization.
Lets say someone tries to DDoS your setup and send the very same packet 1953125 of them per second (64 byte packets). This would fill up your 1Gbit/s link and I would expect the PA device to show just this that the bandwidth consumed is 1Gbit/s and not 512 bit/s.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
