How to Measure CPS
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
How to Measure CPS
How can you measure average and peak CPS so you can get
a baseline from which to set reasonable flood thresholds?
There are many ways to measure CPS to help you set Zone
Protection profile and DoS Protection profile flood threshold settings:
- For Zone Protection profile thresholds, if you run PAN-OS 10.0 or later, the best way to measure CPS is to use the Zone Protection profile Threshold Recommendation alerts from the AIOps cloud service, which use system telemetry to provide accurate estimates of average and average peak CPS values to use in Zone Protection profiles. You can sign up firewalls and Panorama for the service. With PAN-OS 10.2.1 or later, you can install the AIOps plugin for Panorama to proactively enforce security checks on configurations before you push them to managed firewalls.
- If you use Panorama to manage your firewalls, use Device Monitoring to measure CPS coming into a firewall. Select a device to see measurements that help you understand the CPS for that device over a configurable time frame to help you understand the capacity of the firewall. Device Monitoring can also show you a 90-day trend line of CPU average and peak use to help you understand the typical available capacity of each firewall. To see how CPS impacts firewall resources, you can overlay CPS on the same timeline with metrics such as CPU utilization, packet buffers, or packet descriptors:
- PanoramaManaged DevicesHealthAll Devices.
- Click a Device Name to select a device and to view and filter device information.
- Select the gear icon (You can select tabs (not shown) at the top of the dialog box to see more metrics. The following illustrations show the Sessions tab. The other tabs are Interfaces, Logging, Resources, and Firewall Cluster. Each tab displays different default metrics and for each default metric, you can overlay other metrics, compare the selected device to other devices, including device slots and data planes, and annotate the metric.The preceding screen shows the CPS data over the last 12 hours (Time Filter) overlaid with Data Plane CPU Utilization. The next step shows you how to overlay metrics on the default metrics in each tab.
- Click the gear icon to see the actions you can take for overlaying other metrics on the default metrics. You can overlay one metric at a time on each default metric over a particular time frame:
- Select Overlay to see the overlay options and then select the Metric drop-down.
- You can overlay any of these metrics on the default metrics over the same time period to see how the state of one metric affects another metric.For example, on the Sessions tab, you can overlay Data Plane Packet Buffers or Data Plane Packet Descriptors to see how high CPS, Throughput, Session Count, or Packets Per Second (PPS) conditions affect the packet buffers or packet descriptors.Another example on the Sessions tab is to overlay CPS Throughput or PPS with the Data Plane CPU and Packet Buffers metrics to see how traffic spikes affect the CPU and buffers.Another example is to select the Resources tab and then overlay Data Plane CPU over Packet Buffers to see how packet buffer utilization affects the CPU.Overlays help you see trends and correlations such as whether high buffer utilization is associated with high CPS or PPS rates, and give you an idea of how high CPS and PPS can be before they affect the CPU, packet buffers, or packet descriptors.
- Click OK to see the data overlay and use the information to understand device resource behavior under different CPS loads and conditions.
- To gather CPS data over time to help with setting Zone Protection profile thresholds, if you use an SNMP server, you can use your own management tools to poll SNMP MIBs. However, it is important to understand that the CPS measurements in the MIBs show twice the actual CPS value (for example, if the true CPS measurement is 10,000, the MIBs show 20,000 as the value; this happens because the MIBs count the C2S and S2C session segments separately instead of as a single session). You can still see trends from the MIBs and you can divide the CPS values by two to derive the true values. The SNMP MIB OIDs are: PanZoneActiveTcpCps, PanZoneActiveUdpCps, and PanZoneOtherIpCps. Because the firewall only takes measurements and updates the SNMP server every 10 seconds, poll every 10 seconds.
- Run the operational CLI command show session info.You can also see CPS values using the operational CLI command show counter interface, but this command displays two times the actual CPS value because it counts the C2S and S2C session segments separately instead of as a single session, so divide the CPS value by two to derive the real CPS value.
- DoS Protection profiles can protect servers from DoS attacks and can also prevent misconfigured or compromised servers from attacking your network. When the DoS Protection policy rule specifies a server as the destination, you’re protecting it from DoS attacks. When a rule specifies a server as the source, you’re protecting your network from inadvertent or malicious attacks on your network from that server.To measure the CPS for an individual device or to see which devices have the highest CPS rates so that you can set DoS Protection profile thresholds, use the Application Command Center (ACC). The ACC shows you server session rates that enable you to calculate the average CPS for individual devices (for classified DoS Protection policy rules) and for groups of devices (aggregate DoS Protection policy rules). Take measurements over at least a week; longer time periods provide a larger sample size and therefore more representative measurements. Use the measurements to understand the normal and peak number of connections you expect the server to receive and base your threshold settings on those measurements. To find the devices that have the highest CPS rates over a particular time period:
- Select ACC.
- Set the Time period over which to look at session traffic.
- On Network Activity, go to the Source IP Activity widget and/or the Destination IP Activity widget and select sessions (bytes is the default). You can look at source IP activity and destination IP activity at the same time to see how many sessions the device generates (source IP) and how many sessions the device receives (destination IP).
- In the widget’s source address table, click SESSIONS to show the source IP addresses with the highest session counts during the selected Time.
- To determine the CPS value for a server during the selected Time, divide the number of sessions by the number of seconds in the Time. For example, if the Time is set to Last Hour, then divide the number of sessions by 3,600 seconds to derive the CPS value.
The ACC gives you knowledge of average CPS values over time. You can check the number of sessions over the last week, month, or whatever time period makes sense for your environment to understand the session load for a device. For example, to see the session activity over the last week, set the Time to Last 7 Days and the source and destination IP widgets to sessions:As an example of measuring CPS to protect a server from DoS attacks using ACC information in the illustration, let’s calculate the average CPS value over a seven day time period for the server that receives the most sessions (IP address 137.145.204.10 in the Destination IP Activity widget). We divide the 1.7 million sessions by the number of seconds in seven days (7 days x 24 hours x 60 minutes x 60 seconds = 604,800 seconds). The average is a bit less than three sessions per second for that server. Measure the CPS over time periods that represent normal average and peak traffic for the servers you want to protect and base your initial thresholds on those values. Observe the servers and adjust the thresholds as necessary to tune DoS Protection so that the servers are protected but you don’t throttle legitimate connections unnecessarily.- Measuring CPS for classified DoS Protection profiles—Classified DoS Protection profiles protect individual devices. The goal is to configure CPS thresholds in the classified DoS Protection profile and attach the profile to a DoS Protection policy rule that applies to specific servers that have similar DoS attack thresholds. For example, you can apply classified DoS Protection profiles to web servers or critical file servers to prevent a DoS attack from disrupting their availability.The thresholds you set in the profile apply to each individual device specified in the policy rule. For example, if you set a maximum rate of 5,000 CPS in a classified DoS Protection profile, then each device in the associated DoS Protection policy rule can accept up to 5,000 CPS before dropping new connections.To calculate the average and peak CPS value, specify the IP address of each device to which you want to apply classified DoS protection in Global Filters (you can specify multiple IP addresses).
- Select the Time frame over which to view session activity.
- Select sessions in the Destination IP Activity widget.
- Specify the destination IP address of each device to which you want to apply classified DoS protection in Global Filters (you can specify multiple IP addresses).You can filter firewall Traffic logs and Threat logs for the destination IP addresses of the critical devices you want to protect to obtain normal and peak session activity information.
- Add the session values together and divide the total into the number of seconds in the time period to derive the CPS value. For example, over a time period of 30 days (2,592,000 seconds), if the total number of sessions is 155,300,000, then the average CPS over that time period is approximately 60 CPS.
- Check if the number of sessions over the time period is close enough that the initial threshold values protect each device from DoS attacks but also don’t underutilize the devices.
- Fine tune the threshold values to ensure that none of the protected servers become DoS attack victims while attaining the highest safe performance for legitimate connections.
To calculate the average peak CPS, use the graphic display in the widget to identify the peak session periods and calculate the average peak CPS from that. - Measuring CPS for aggregate DoS Protection profiles—Aggregate DoS Protection profiles protect groups of devices. The goal is to configure CPS thresholds in the aggregate DoS Protection profile and attach the profile to a DoS Protection policy rule that applies to an entire group of servers. Aggregate DoS Protection adds another layer of broad protection after your dedicated large-capacity perimeter DDoS device and the firewall’s Zone Protection.Aggregate profiles don’t apply the configured threshold to each individual device in the way that classified profiles do. Instead, the threshold applies to the entire protected group. For example, if you set a maximum CPS threshold of 20,000 sessions to a group of five servers, then the combined total sessions that the group can support is 20,000 sessions. The only limit for an individual server in the group is how many of the 20,000 sessions are available. One device could receive 15,000 CPS, which leaves up to 5,000 CPS for the other four devices combined.Adjust the thresholds as needed. You can use the same process for finding normal and peak CPS for classified profiles in the ACC to find average normal and peak CPS for aggregate profiles. Keep in mind that for aggregate profiles, you need to base the thresholds on the group’s total CPS, not on the CPS to individual servers.
- To prevent a server or servers from inadvertently or maliciously attacking your network, base your CPS measurements on the Source IP Activity widget, which shows the session activity that servers generate. Filter by sessions to see the most active servers or use Global Settings to filter by the source IP address of a particular server or servers. In the DoS Protection policy rule for the server(s), apply a DoS Protection profile with low thresholds so that the server can’t disrupt the network. For example, thresholds of 10 CPS for Alarm Rate, 20 CPS for Activate Rate, and 30 CPS for Max Rate ensure that the firewall adds the source address to the hardware block table instead of using other system resources.
- For setting aggregate DoS Protection profile thresholds, you can use Zone Protection profile threshold measurements as a starting point, especially if you intend to cover most of the servers in a zone with aggregate DoS protection. If the zone contains only the devices to which you want to apply an aggregate DoS Protection profile, then the CPS numbers are exactly the same as the Zone Protection profile numbers. If the zone contains both devices that you want to protect with an aggregate DoS Protection profile and devices that you don’t want to protect with an aggregate DoS Protection profile, you can use the Zone Protection CPS measurements as a starting point and experiment with the thresholds to tune them properly.
- Use third-party tools such as Wireshark or NetFlow to collect and analyze network traffic.
- Use scripts to automate CPS information collection and continuous monitoring, and to mine information from the logs.
- Configure every Security policy rule on the firewall to Log at Session End. If you have no monitoring tools such as NetFlow or Wireshark, and cannot obtain or develop automated scripts, Log at Session End captures the number of connections at the session end. While this doesn’t provide CPS information, it does show you the number of sessions ending in the selected time duration and you can make an approximate calculation of the sessions per second from that information.
- Work with application teams to understand the normal and peak CPS to their servers and the maximum CPS those servers can support.
To conserve resources, the firewall measures the aggregate
CPS at ten-second intervals. For this reason, measurements you see
on the firewall may not catch bursts within the ten-second interval.
Although the average CPS measurements aren’t affected, the peak
CPS measurements may not be precise. For example, if the firewall
logs report a 5,000 CPS average in a ten-second interval, it’s possible
that 4,000 CPS came in a one-second burst and the other 1,000 CPS were
spread out over the remaining nine seconds.
Create separate log forwarding profiles for
flood events so the appropriate administrator receives emails that
contain only flood (potential DoS attack) events. Set Log Forwarding
for both zone protection and DoS protection threshold events.
After you implement Zone and DoS protection,
use these methods to monitor the deployment, so as your network
evolves and traffic patterns change, you adjust flood protection
thresholds.