This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Zone Protection drops traffic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Zone Protection drops traffic

raji_toor
L4 Transporter

‎01-29-2021 08:34 AM - edited ‎01-29-2021 08:48 AM

We have below settings for  our untrust zone protection. We don't see a high CPS rate but we still see packets getting dropped, and has now started effecting us. Any guidance would be helpful.

PANO9.0.11/5250

 

image.png

image.png

image.png

 

 

0 Likes Likes
9 REPLIES 9

reaper
Cyber Elite
Cyber Elite

‎01-31-2021 03:30 PM

during a time you're seeing these drops, see if you are picking up syn cookie error counters:

 

> show counter global delta yes filter aspect dos

 

and look for any of these counters:

flow_dos_syncookie_ack_err info TCP SYN cookies: Invalid ACKs received, aggregate profile/zone
flow_dos_syncookie_blk_dur drop Packets dropped: Flagged for blocking and under block duration for ag
flow_dos_syncookie_max drop Packet dropped: SYN cookies maximum threshold reached, aggregate prof
flow_dos_syncookie_not_tcp_syn drop TCP SYN cookies: TCP SYN cookie not SYN
flow_dos_syncookie_not_tcp_syn_ack drop TCP SYN cookies: TCP SYN cookie not SYN-ACK

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
0 Likes Likes

raji_toor
L4 Transporter
In response to reaper

‎02-01-2021 08:06 AM

@reaper  Its difficult to so when it happens as it lasts only few minutes, and not predictable when it would happen.

But because it had been effecting users I had to increase the activation to rate to 4000.

Below is the output though and i only see 1 flow that matches what you said to look for. flow_dos_syncookie_ack_er

 

show counter global filter delta yes aspect dos

Global counters:
Elapsed time since last sampling: 5.684 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
flow_dos_syncookie_cookie_sent          2170      381 info      flow      dos       TCP SYN cookies: cookies sent, aggregate profile/zone
flow_dos_syncookie_ack_rcv              2332      410 info      flow      dos       TCP SYN cookies: ACKs to cookies received, aggregate profile/zone
flow_dos_syncookie_ack_err                81       14 info      flow      dos       TCP SYN cookies: Invalid ACKs received, aggregate profile/zone
flow_dos_syncookie_svr_ack_rcv          2076      365 info      flow      dos       TCP SYN cookies: Server ACKs received, aggregate profile/zone
flow_dos_syncookie_not_tcp_syn           304       53 drop      flow      dos       TCP SYN cookies: TCP SYN cookie not SYN
flow_dos_pf_ipspoof                        1        0 drop      flow      dos       Packets dropped: Zone protection option 'discard-ip-spoof'
flow_dos_pf_ipfrag                        24        4 drop      flow      dos       Packets dropped: Zone protection option 'discard-ip-frag'
flow_dos_pf_ping0                         10        1 drop      flow      dos       Packets dropped: Zone protection option 'discard-icmp-ping-zero-id'
flow_dos_pf_icmplpkt                       1        0 drop      flow      dos       Packets dropped: Zone protection option 'discard-icmp-large-packet'
flow_dos_pm_tcptimestamp                  65       11 info      flow      dos       Packets modified: Zone protection option 'remove-tcp-timestamp'
flow_dos_rule_allow_under_rate            24        4 info      flow      dos       Packets allowed: Rate within thresholds of DoS policy
flow_dos_rule_match                       24        4 info      flow      dos       Packets matched DoS policy
flow_dos_rule_nomatch                   3800      668 info      flow      dos       Packets not matched DoS policy
flow_dos_cl_curr_sess_add_incr            14        2 info      flow      dos       Incremented classified current session count on session create
flow_dos_cl_curr_sess_del_decr            30        5 info      flow      dos       Decremented classified current session count on session delete
flow_dos_ag_buckets_upd                   11        1 info      flow      dos       Updated aggregate buckets for aging
--------------------------------------------------------------------------------
Total counters shown: 16
--------------------------------------------------------------------------------
0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎02-01-2021 08:19 AM

Check to see if you have a lot of non_syn_tcp

 

 

show counter global filter aspect session category flow severity drop delta yes

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to raji_toor

‎02-01-2021 01:47 PM

@raji_toor,

If you are having trouble checking counters when experiencing the issue, I would simply script it and log the results on a regular basis. That way, when you experience the issue again you simply have to go back and look at the logged data to see if you can capture the counters increasing at a high rate. 

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks