How to Measure CPS

How can you measure average and peak CPS so you can get a baseline from which to set reasonable flood thresholds?
There are many ways to measure CPS:
  • If you use Panorama to manage your firewalls, use Device Monitoring to measure CPS coming into a firewall (
    Managed Devices
    All Devices
    ). Device Monitoring can also show you a 90-day trend line of CPU average and peak use to help you understand the typical available capacity of each firewall.
  • Run the operational CLI command
    show session info
    The operational CLI command
    show counter interface
    displays two times the actual CPS value. If you use this command, divide the CPS value by two to derive the real CPS value.
  • For setting appropriate DoS Protection profile thresholds, work with application teams to understand the normal and peak CPS to their servers and the maximum CPS those servers can support.
    In addition, you can filter firewall Traffic logs and Threat logs for the destination IP addresses of the critical devices you want to protect to obtain normal and peak session activity information.
  • Use third-party tools such as Wireshark or NetFlow to collect and analyze network traffic.
  • Use scripts to automate CPS information collection and continuous monitoring, and to mine information from the logs.
  • Configure every Security policy rule on the firewall to
    Log at Session End
    . If you have no monitoring tools such as NetFlow or Wireshark, and cannot obtain or develop automated scripts,
    Log at Session End
    captures the number of connections at the session end. While this doesn’t provide CPS information, it does show you the number of sessions ending in the selected time duration and you can make an approximate calculation of the sessions per second from that information.
To conserve resources, the firewall measures the aggregate CPS at ten-second intervals. For this reason, measurements you see on the firewall may not catch bursts within the ten-second interval. Although the average CPS measurements aren’t affected, the peak CPS measurements may not be precise. For example, if the firewall logs report a 5,000 CPS average in a ten-second interval, it’s possible that 4,000 CPS came in a one-second burst and the other 1,000 CPS were spread out over the remaining nine seconds.
To gather historical CPS data over time, if you use an SNMP server, you can use your own management tools to poll SNMP MIBs. However, it is important to understand that the CPS measurements in the MIBs show twice the actual CPS value (for example, if the true CPS measurement is 10,000, the MIBs show 20,000 as the value). You can still see trends from the MIBs and you can divide the CPS values by two to derive the true values. The SNMP MIB OIDs are: PanZoneActiveTcpCps, PanZoneActiveUdpCps, and PanZoneOtherIpCps. Because the firewall only takes measurements and updates the SNMP server every 10 seconds, poll every 10 seconds.
In addition, create separate log forwarding profiles for flood events so the appropriate administrator receives emails that contain only flood (potential DoS attack) events. Set Log Forwarding for both zone protection and DoS protection threshold events.
After you implement zone and DoS protection, use these methods to monitor the deployment, so as your network evolves and traffic patterns change, you adjust flood protection thresholds.

Recommended For You