Baseline CPS Measurements for Setting Flood Thresholds
Taking baseline measurements of average and peak CPS
for each zone helps define reasonable thresholds to prevent floods
without unnecessarily throttling traffic.
Where Can I Use This? | What Do I Need? |
NGFW (Managed by PAN-OS or Panorama) |
|
Flood protection thresholds determine
the number of new connections-per-second (CPS) to allow for a zone
(Zone Protection profile), for a group of devices in a zone (aggregate
DoS Protection policy), or for individual devices in a zone (classified DoS
Protection policy), when to throttle new connections to begin mitigating
a potential flood attack, and when to drop all new connections.
The default Zone Protection profile and DoS Protection profile flood
protection thresholds aren’t appropriate for most networks because
each network is unique. You need to understand the aggregate normal
and peak CPS for each zone to set effective Zone Protection profile
thresholds, and for the individual critical systems you want to
defend to set effective DoS Protection profile thresholds that don’t
inadvertently set thresholds too high and allow flood attacks or
set thresholds too low and throttle traffic.
Measure
average and peak CPS traffic over the course of at least five business days
or until you’re confident that the measurements reflect the network’s typical traffic
patterns; the longer measurement period, the more accurate the measurements. Take into
account special events, quarterly events, and annual events that may spike the number of
CPS you need to support. You may need to adjust Zone Protection profiles and schedule
adjusted DoS Protection policy rules to accommodate these types of events if your
firewalls have the capacity to handle extra traffic. Take the following baseline
measurements:
For Zone Protection profiles, measure the average and peak CPS ingressing each
zone.
For aggregate DoS Protection profiles, measure the combined average and peak CPS
for each group of devices you want to protect.
For classified DoS Protection profiles, measure the average and peak CPS of the
individual devices you want to protect.
Also understand the capacity of your firewalls and how other resource-consuming features
such as decryption affect the number of connections each firewall can control. As a
general rule, the closer a firewall is to the perimeter, the greater its capacity needs
to be because it handles more traffic. The datasheet for each firewall model includes
the total new sessions per second (CPS) the firewall supports and the
Firewall Comparison Tool enables you to compare the CPS (and
other metrics) of different firewall models.