How to Measure CPS

How can you measure average and peak CPS so you can get a baseline from which to set reasonable flood thresholds?
There are many ways to measure CPS:
  • If you use Panorama to manage your firewalls, use Device Monitoring to measure CPS coming into a firewall (PanoramaManaged DevicesHealthAll Devices). Device Monitoring can also show you a 90-day trend line of CPU average and peak use to help you understand the typical available capacity of each firewall.
  • Use your own management tools to poll the following three MIBs to gather historical CPS data: PanZoneActiveTcpCps, PanZoneActiveUdpCps, and PanZoneOtherIpCps. Poll every 10 seconds (the firewall updates the MIBs at 10 second intervals).
  • For setting appropriate DoS Protection profile thresholds, work with application teams to understand the normal and peak CPS to their servers and the maximum CPS those servers can support.
    In addition, you can filter firewall Traffic logs and Threat logs for the destination IP addresses of the critical devices you want to protect to obtain normal and peak session activity information.
  • Use third-party tools such as Wireshark or NetFlow to collect and analyze network traffic.
  • Use scripts to automate CPS information collection and continuous monitoring, and to mine information from the logs.
  • Configure every Security policy rule on the firewall to Log at Session End. If you have no management tools to analyze MIBs, no monitoring tools such as NetFlow or Wireshark, and cannot obtain or develop automated scripts, Log at Session End captures the number of connections at the session end. While this doesn’t provide CPS information, it does give you an idea of the number of connections in a session.
    To conserve resources, the firewall measures the aggregate CPS at ten-second intervals. For this reason, the firewall measurements may not catch bursts within the ten-second interval, so although the average CPS measurements aren’t affected, the peak CPS measurements may not be precise. For example, if the logs report a 5,000 CPS average in a ten-second interval, it’s possible that 4,000 CPS came in a one-second burst and the other 1,000 CPS were spread out over the remaining nine seconds.
    In addition, create separate log forwarding profiles for flood events so the appropriate administrator receives emails that contain only flood (potential DoS attack) events. Set Log Forwarding for both zone protection and DoS protection threshold events.
After you implement zone and DoS protection, use these methods to monitor the deployment, so as your network evolves and traffic patterns change, you adjust flood protection thresholds.

Related Documentation