10-09-2014 11:16 AM
So, UDP Flood protection on my untrusted zone kicked in for the first (and second) time last night. The end result was not passing traffic each time for about 5-10 minutes. I'm guessing that the CPU (2050) was just spinning its wheels the entire time. I'm just (blindly) using the default values:
admin@PA-2050-1(active)> show zone-protection zone outside
-------------------------------------------------------------------------------
Zone outside, vsys vsys1, profile SafeZoneProtect
-------------------------------------------------------------------------------
tcp-syn SYN cookies enabled: yes
alarm rate: 10000pps activate rate:1000000pps maximal rate:1000001pps
current: 2 packets dropped:0
-------------------------------------------------------------------------------
udp RED enabled: yes
alarm rate: 1000pps activate rate: 1000pps maximal rate: 4000pps
current: 7 packets dropped:0
-------------------------------------------------------------------------------
icmp RED enabled: yes
alarm rate: 1000pps activate rate: 1000pps maximal rate: 4000pps
current: 0 packets dropped:0
I am right in thinking that I should be decreasing the rate values so that RED activation and 100% drop kick in faster giving me some CPU to spare?
10-09-2014 11:34 AM
You need to increase your activate rate from 1000pps. What you are saying is alert me when udp traffic reaches 1000 packets per second. Normally activate rate would be higher than alert. With alert, you ask firewall to activate random early drop (RED), packet start to drop from this point. It will increase linearly until it reaches maximal rate. To explain if the packet reaches 25000 packets/sec or halfway between 10K to 40K, then 50% of all udp traffic would be dropped. Once it reaches 40K all udp packets would get drop.
If attack is targeted towards one specific host then you might also leverage DoS. Hope this helps. Thank you.
10-09-2014 11:55 AM
Hi MCmgt,
It may not be a Zone protection issue, because current dropped packets are 0.
current: 7 packets dropped:0
Best idea would be to refer UDP traffic log of that time period. If you can provide us magnified view of log, than we might determine issue.
Regards,
Hardik Shah
10-09-2014 12:13 PM
I'm not sure why that says 0, but global counters look to have RED active:
flow_dos_red_udp 22712017 0 drop flow dos Packets dropped: Zone protection protocol 'udp' RED
flow_dos_red_icmp 5431 0 drop flow dos Packets dropped: Zone protection protocol 'icmp' RED
flow_dos_zone_red_act 22717448 0 drop flow dos Packets dropped: Activate zone RED threshold reached, random early drop
And the Threat Monitor looks like it's doing random drop:
10-09-2014 12:56 PM
Hi MCmgt,
Its genuine drop by "Zone protection". It seems UDP traffic has exceeded configured limit. I would suggest to increase limit.
Regards,
Hardik Shah
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
