Screen OS

Okay, so I'm digging into congestion issues surrounding my SSG520 and downstream/upstream traffic, and (forgive me if this has been asked/answered somewhere obvious, please point accordingly) I'm wondering if there's a way to, for example, monitor rogue/insane traffic on a port?

I guess what I'm saying is my suspect traffic is in a DMZ 0/1 on the 520, and I'd like to know if there's some downstream device pummeling everyone else, flooding my port (or downstream switch ports) and causing congestion/issues. I'm not quite sure how I would know that.

Elsewhere on that subnet I have a mirror port on a switch and I'm trying to see if I can see stuff there with a sensor just listening, but I'm not quite sure how to dig into that with Wireshark or some such, or whether that's even the right tool, and also I'm wondering if the SSG520 has anything to keep "bad things" from happening to a given port/subnet that would simplify my search?

Hi,

That is a very broad area and the SSG code isn't really tuned to perform network diagnostics. Your best bet would be the port mirror captures from the switch. You can use the 'Statistics' option in wireshark to identify the top talkers.

That said, you can look for the below on the SSG:

1. Interface stats ==> get counter stat int e0/1 (or any other interface). Repeat this a couple of times and look for increments of errors like in-overrun, unknown packet etc.,

2. If the fllod is not being dropped on the interface and reaching the processor, CPU utilisation will raise based on the amount of traffic. Track this with 'get perf cpu all detail'

3. SSG does have a good number of protection featues against floods and DOS attacks, like syn flood protection, session limit etc., If they are turned ON in your DMZ zone, you will see alerts in the event log (get event). The source IP will be reported here.

wonderful, that's very helpful, thanks 🙂