How can you measure average and peak CPS so you can get
a baseline from which to set reasonable flood thresholds?
There are many ways to measure CPS:
If you use Panorama to manage your firewalls, use Device Monitoring to measure
CPS coming into a firewall (
). Device Monitoring
can also show you a 90-day trend line of CPU average and peak use
to help you understand the typical available capacity of each firewall.
Run the operational CLI command
show session info
operational CLI command
show counter interface
two times the actual CPS value. If you use this command, divide
the CPS value by two to derive the real CPS value.
For setting appropriate DoS Protection profile thresholds,
work with application teams to understand the normal and peak CPS
to their servers and the maximum CPS those servers can support.
addition, you can filter firewall Traffic logs and Threat logs for
the destination IP addresses of the critical devices you want to
protect to obtain normal and peak session activity information.
Use third-party tools such as Wireshark or NetFlow to collect
and analyze network traffic.
Use scripts to automate CPS information collection and continuous
monitoring, and to mine information from the logs.
Configure every Security policy rule on the firewall to
at Session End
. If you have no monitoring tools such
as NetFlow or Wireshark, and cannot obtain or develop automated
Log at Session End
number of connections at the session end. While this doesn’t provide
CPS information, it does show you the number of sessions ending
in the selected time duration and you can make an approximate calculation
of the sessions per second from that information.
To conserve resources, the firewall measures the aggregate
CPS at ten-second intervals. For this reason, measurements you see
on the firewall may not catch bursts within the ten-second interval.
Although the average CPS measurements aren’t affected, the peak
CPS measurements may not be precise. For example, if the firewall
logs report a 5,000 CPS average in a ten-second interval, it’s possible
that 4,000 CPS came in a one-second burst and the other 1,000 CPS
were spread out over the remaining nine seconds.
To gather historical CPS data over time, if you use an SNMP server,
you can use your own management tools to poll SNMP MIBs. However,
it is important to understand that the CPS measurements in the MIBs
show twice the actual CPS value (for example, if the true CPS measurement
is 10,000, the MIBs show 20,000 as the value). You can still see
trends from the MIBs and you can divide the CPS values by two to
derive the true values. The SNMP MIB OIDs are: PanZoneActiveTcpCps,
PanZoneActiveUdpCps, and PanZoneOtherIpCps. Because the firewall
only takes measurements and updates the SNMP server every 10 seconds,
poll every 10 seconds.
In addition, create separate log forwarding profiles for
flood events so the appropriate administrator receives emails that
contain only flood (potential DoS attack) events. Set Log Forwarding
for both zone protection and DoS protection threshold events.
After you implement zone and DoS protection,
use these methods to monitor the deployment, so as your network
evolves and traffic patterns change, you adjust flood protection