What is a resonable number of drops?

[jimmo]

Hi All!

We have CP NGX R60 on six firewalls. The total number of packets we see in the Smart Tracker each day is on the order of 2.5-3.5 million packets. Across all of the firewalls we have on the order of 2-3000 drops between 150 nodes for those cases where we cannot immediate determine the cause (e.g incorrectly configured applications). My boss wants to get the drops down to 0. Although I imagine that this is theoretically possible, I believe that it is either unrealistic or we are going to be spending all of our time chasing ghosts in the hardware looking for the cause of the last few packets.

With that said, I have been looking for some numbers that I can use a base. That is, what percentage of drops is "acceptable"? Granted 500 drops from one machine to a specific machine with 500 different ports means something a lot different than 500 random ports on different machines. However, I am looking for a number that I can use as a guide.

Any info is appreciated.

Regards,

jimmo

[abusharif]

there is no numbers that can say what is reasonable. It all depends on setup, applications, ammount of traffic generated etc. You will NEVER get down to 0 cause your firewall will always be hammered from internet side and you cant do squat about that, unless you disable logging ofc and that is kind of a point with logs so you can see what is going on realtime and historicaly ;)

If this is about dropped traffic generated from inside of your network you can always skip logging on trash traffic like broadcast/dhcp/bootp etc. It all depends on traffic when it comes to other applications but disabling those above would clear ur log a bit and then you can start hunting down what is left and generated from your internal network.

[jimmo]

Thanks for the response. The reports I am looking at only cover the *internal* firewalls.

Perhaps I should phrase it a different way. Assume that all of the applications are configured correctly and are not trying to talk to machines they should not. In your experience, what percentage of drop can one expect from "unexplicable" things like corrupt packets? (granted packets shouldn't be corrupt)

[abusharif]

Quote:

Originally Posted by jimmo

Thanks for the response. The reports I am looking at only cover the *internal* firewalls.

Perhaps I should phrase it a different way. Assume that all of the applications are configured correctly and are not trying to talk to machines they should not. In your experience, what percentage of drop can one expect from "unexplicable" things like corrupt packets? (granted packets shouldn't be corrupt)

Well smartdefense doesnt help that much so to speak :) You can expect plenty of errors if you are using microsoft sharing (nbt,nbsession etc) and also ocassional out of state packets if u restart firewalls or push policy. Its really hard to say but most of the errors u get should be those from smartdefense. Tweaking and sometimes necessarily disabling certain checks should get this down to low numbers.

[jimmo]

nbt,nbsessi, nbname are definately in the top 10 drops. Fortunately, these are coming only from a handful of machines in one segment, so we could deactivate the logging for these packets. In the meantime we did find a couple of applications that were incorrectly configured, so that brings down the total to under 1000 for all the firewalls.