Zone Protection drops traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Zone Protection drops traffic

L4 Transporter

We have below settings for  our untrust zone protection. We don't see a high CPS rate but we still see packets getting dropped, and has now started effecting us. Any guidance would be helpful.

PANO9.0.11/5250

 

image.png

image.png

image.png

 

 

9 REPLIES 9

Cyber Elite
Cyber Elite

during a time you're seeing these drops, see if you are picking up syn cookie error counters:

 

> show counter global delta yes filter aspect dos

 

and look for any of these counters:

flow_dos_syncookie_ack_err info TCP SYN cookies: Invalid ACKs received, aggregate profile/zone
flow_dos_syncookie_blk_dur drop Packets dropped: Flagged for blocking and under block duration for ag
flow_dos_syncookie_max drop Packet dropped: SYN cookies maximum threshold reached, aggregate prof
flow_dos_syncookie_not_tcp_syn drop TCP SYN cookies: TCP SYN cookie not SYN
flow_dos_syncookie_not_tcp_syn_ack drop TCP SYN cookies: TCP SYN cookie not SYN-ACK

Tom Piens
PANgurus - (co)managed services and consultancy

@reaper  Its difficult to so when it happens as it lasts only few minutes, and not predictable when it would happen.

But because it had been effecting users I had to increase the activation to rate to 4000.

Below is the output though and i only see 1 flow that matches what you said to look for. flow_dos_syncookie_ack_er

 

show counter global filter delta yes aspect dos

Global counters:
Elapsed time since last sampling: 5.684 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
flow_dos_syncookie_cookie_sent          2170      381 info      flow      dos       TCP SYN cookies: cookies sent, aggregate profile/zone
flow_dos_syncookie_ack_rcv              2332      410 info      flow      dos       TCP SYN cookies: ACKs to cookies received, aggregate profile/zone
flow_dos_syncookie_ack_err                81       14 info      flow      dos       TCP SYN cookies: Invalid ACKs received, aggregate profile/zone
flow_dos_syncookie_svr_ack_rcv          2076      365 info      flow      dos       TCP SYN cookies: Server ACKs received, aggregate profile/zone
flow_dos_syncookie_not_tcp_syn           304       53 drop      flow      dos       TCP SYN cookies: TCP SYN cookie not SYN
flow_dos_pf_ipspoof                        1        0 drop      flow      dos       Packets dropped: Zone protection option 'discard-ip-spoof'
flow_dos_pf_ipfrag                        24        4 drop      flow      dos       Packets dropped: Zone protection option 'discard-ip-frag'
flow_dos_pf_ping0                         10        1 drop      flow      dos       Packets dropped: Zone protection option 'discard-icmp-ping-zero-id'
flow_dos_pf_icmplpkt                       1        0 drop      flow      dos       Packets dropped: Zone protection option 'discard-icmp-large-packet'
flow_dos_pm_tcptimestamp                  65       11 info      flow      dos       Packets modified: Zone protection option 'remove-tcp-timestamp'
flow_dos_rule_allow_under_rate            24        4 info      flow      dos       Packets allowed: Rate within thresholds of DoS policy
flow_dos_rule_match                       24        4 info      flow      dos       Packets matched DoS policy
flow_dos_rule_nomatch                   3800      668 info      flow      dos       Packets not matched DoS policy
flow_dos_cl_curr_sess_add_incr            14        2 info      flow      dos       Incremented classified current session count on session create
flow_dos_cl_curr_sess_del_decr            30        5 info      flow      dos       Decremented classified current session count on session delete
flow_dos_ag_buckets_upd                   11        1 info      flow      dos       Updated aggregate buckets for aging
--------------------------------------------------------------------------------
Total counters shown: 16
--------------------------------------------------------------------------------

Cyber Elite
Cyber Elite

Check to see if you have a lot of non_syn_tcp

 

 

show counter global filter aspect session category flow severity drop delta yes

Tom Piens
PANgurus - (co)managed services and consultancy

@raji_toor,

If you are having trouble checking counters when experiencing the issue, I would simply script it and log the results on a regular basis. That way, when you experience the issue again you simply have to go back and look at the logged data to see if you can capture the counters increasing at a high rate. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!