Zone Protection drops traffic

raji_toor · ‎01-29-2021

We have below settings for our untrust zone protection. We don't see a high CPS rate but we still see packets getting dropped, and has now started effecting us. Any guidance would be helpful.

PANO9.0.11/5250

raji_toor · ‎02-02-2021

@BPry Would you have a sample script for just that.

@reaper This seems quite bursty

show counter global filter aspect session category flow severity drop delta yes

Global counters:
Elapsed time since last sampling: 8.763 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
flow_policy_deny                        3575      407 drop      flow      session   Session setup: denied by policy
flow_tcp_non_syn_drop                  19507     2226 drop      flow      session   Packets dropped: non-SYN TCP without session match
--------------------------------------------------------------------------------
Total counters shown: 2
--------------------------------------------------------------------------------




Global counters:
Elapsed time since last sampling: 1.548 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
flow_policy_deny                         636      410 drop      flow      session   Session setup: denied by policy
flow_tcp_non_syn_drop                   3530     2280 drop      flow      session   Packets dropped: non-SYN TCP without session match
--------------------------------------------------------------------------------
Total counters shown: 2
--------------------------------------------------------------------------------

Also from what i have understood these are global counters, and they are just telling something is happening but don't tell where. Could the counters be not increasing because of something internal to our network for these counters.

This is what I seen with show zone-protection

 show zone-protection zone EXTERNAL

------------------------------------------------------------------------------------------
Number of zones with protection profile: 1
------------------------------------------------------------------------------------------
Zone EXTERNAL, vsys vsys1, profile EXTERNAL
------------------------------------------------------------------------------------------
  tcp-syn              SYN cookie enabled: yes
    DP alarm rate:        7000 cps, activate rate:    4500 cps, maximal rate:   35000 cps
    current:                84 packets
    dropped:                 0 packets
    not TCP SYN:       196153882 packets
    not TCP SYN ACK:     25849 packets
------------------------------------------------------------------------------------------
  udp                  RED enabled: yes
    DP alarm rate:        5000 cps, activate rate:   15000 cps, maximal rate:   30000 cps
    current:                 2 packets
    dropped:                 0 packets
------------------------------------------------------------------------------------------
  icmp                 RED enabled: yes
    DP alarm rate:        5000 cps, activate rate:   15000 cps, maximal rate:   30000 cps
    current:                 0 packets
    dropped:                 0 packets
------------------------------------------------------------------------------------------
  other-ip             RED enabled: yes
    DP alarm rate:        5000 cps, activate rate:   15000 cps, maximal rate:   30000 cps
    current:                 0 packets
    dropped:                 0 packets
------------------------------------------------------------------------------------------
  icmpv6               RED enabled: yes
    DP alarm rate:        5000 cps, activate rate:   15000 cps, maximal rate:   30000 cps
    current:                 0 packets
    dropped:                 0 packets
------------------------------------------------------------------------------------------
IPv(4/6) Filter:
  discard-ip-spoof:                           enabled: yes, packet dropped: 121
  discard-ip-frag:                            enabled: yes, packet dropped: 3146
  tcp-reject-non-syn:                         enabled: yes, (global), packet dropped: 108198
  tcp-timestamp:                              enabled: yes, packets modified: 4370
  discard-tcp-syn-with-data:                  enabled: yes, packet dropped: 0
  discard-tcp-synack-with-data:               enabled: yes, packet dropped: 0
  strip-tcp-fast-open-and-data:               enabled: yes, packet stripped: 9
IPv4 packet filter:
  discard-icmp-ping-zero-id:                  enabled: yes, packet dropped: 30
  discard-icmp-frag:                          enabled: yes, packet dropped: 0
  discard-icmp-large-packet:                  enabled: yes, packet dropped: 0

raji_toor · ‎02-02-2021

I have made this powershell script to get zone information . There might be easy ways, but this is what I got to work and log the output

#Loop endlessly with 5 second delay w
while($true){
$Login = Invoke-restmethod -Uri 'https://pan/api/?type=keygen&user=xml&password=P@ssword1' 
$LoginXML = Select-Xml -Xml $Login -XPath "/response[@status]/result/key/text()" | Select-Object -ExpandProperty Node
$Key = $LoginXML.Value
$XMLURI =  'https://pan/api/?type=op&cmd=<show><zone-protection><zone>EXTERNAL</zone></zone-protection></show>&key=' + $Key
$XMLURI
$Request = Invoke-restmethod -Uri $XMLURI
$Parse0 = Select-Xml -Xml $Request -XPath "/response[@status]/result/entry/entries/entry" | Select-Object -ExpandProperty Node
$Parse1 = Select-Xml -Xml $Request -XPath "/response[@status]/result/entry/entries/entry/other-ip" | Select-Object -ExpandProperty Node
$Parse2 = Select-Xml -Xml $Request -XPath "/response[@status]/result/entry/entries/entry/tcp-syn" | Select-Object -ExpandProperty Node
$Parse3 = Select-Xml -Xml $Request -XPath "/response[@status]/result/entry/entries/entry/udp" | Select-Object -ExpandProperty Node
$Parse4 = Select-Xml -Xml $Request -XPath "/response[@status]/result/entry/entries/entry/icmp" | Select-Object -ExpandProperty Node
$Parse5 = Select-Xml -Xml $Request -XPath "/response[@status]/result/entry/entries/entry/icmpv6" | Select-Object -ExpandProperty Node

$Time = (Get-Date).ToString(‘yyyy-MM-dd HH:mm:ss’)

$Parse0  | Add-Member -MemberType NoteProperty -Name Timestamp -Value $Time -Passthru | Export-Csv -Path "d:\palo\Entry.csv" -Append
$Parse1 | Add-Member -MemberType NoteProperty -Name Timestamp -Value $Time -Passthru | Export-Csv -Path "d:\palo\OTHER-IP.csv" -Append
$Parse2 | Add-Member -MemberType NoteProperty -Name Timestamp -Value $Time -Passthru | Export-Csv -Path "d:\palo\TCP-SYN.csv" -Append
$Parse3 | Add-Member -MemberType NoteProperty -Name Timestamp -Value $Time -Passthru | Export-Csv -Path "d:\palo\UDP.CSV" -Append
$Parse4 | Add-Member -MemberType NoteProperty -Name Timestamp -Value $Time -Passthru | Export-Csv -Path "d:\palo\ICMP.csv" -Append
$Parse5 | Add-Member -MemberType NoteProperty -Name Timestamp -Value $Time -Passthru | Export-Csv -Path "d:\palo\ICMP6.csv" -Append

Start-Sleep -s 5

}

raji_toor · ‎02-02-2021

@BPry and @reaper do you think if it benefits to log global counters

reaper · ‎02-02-2021

No, the potential to cause a catastrophic load on your device is too high IMHO

If you're at the end of your rope, open a case with support so they can assist during a live session

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

BPry · ‎02-02-2021

@raji_toor,

I've never had a need to programmatically pull global counters on an automated basis outside of specific troubleshooting periods where I was already in maintenance windows. I'm not sure if it would put enough load on the firewall to cause any issues; I don't recall it placing an abnormal load on the system in the past, but I was also in maintenance windows and wouldn't really have been looking for it.

Zone Protection drops traffic

Zone Protection drops traffic

Show your appreciation!