How to Reduce the Session Table Utilization %

How to Reduce the Session Table Utilization %

20866
Created On 02/02/23 04:21 AM - Last Modified 12/09/23 00:59 AM


Objective


  • When a traffic flow comes through the Palo Alto Networks firewall, the firewall installs what is called a "session" for that traffic flow.
  • A session is defined by two unidirectional flows (one bi-directional flow).
  • Each session is uniquely identified by a single 6-tuple key:
    • Source IP Address
    • Source Port
    • Destination IP Address
    • Destination Port
    • Protocol
    • Source Security Zone
  • Each firewall (varies by model) can only hold a certain number of sessions before the session table reaches its capacity (i.e. the session table becomes full).
  • This article helps to identify traffic flows which are taking high number of sessions in the session table (CLI: show session all)

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Session Table Utilization

Procedure


  1. Identify the Source IP(s) and Destination IP(s) of the traffic flows which are taking up the highest number of sessions by referring to:
    1. Web UI: ACC tab > Network Activity > Source IP Activity, Destination IP Activity / Application Usage > select Sessions radio button
    2. Web UI:  Monitor > logs > Traffic  use Filters to search for the IP Addresses found in the above ACC charts
    3. CLI: >show session all
    4. CLI: >show system statistics session
  • The goal with all of the above is to search through them and find which Source IP's or Destination IP's you see repeatedly (or a high number of sessions for).
  • These are the offending sessions which are likely taking up the highest amount of Session Table Utilization %.
  • They should be further examined to determine if they are valid traffic flows in your organization, or if they are attackers/malicious/rogue hosts or  unnecessary/accidental/unintentional traffic flows.
  1. Mitigate or stop these traffic flows (i.e. to reduce Session Table Utilization %) using the below steps:
  1. Shutdown/stop the traffic flow(s) from its source (from coming to the firewall in the first place)
  2. Create/adjust a Security Policy rule  to deny that traffic.
  3. Configure Zone Protection and/or DoS Protection on the firewall. Detailed steps can be found in Troubleshooting DoS Attacks and Zone Protection profile - Flood Detection

Notes: 
1- For 2.b Be careful that the traffic denied won't be denied at it's slow path stage (this can typically happen for UDP traffic such as syslog traffic) otherwise denying such traffic using security policy can cause the problem of High DP CPU due to an increase in flow of traffic denied at slowpath stage by a security policy .
2- Clear these offending sessions from the firewall after the above has been configured. This can be done using the below commands, Examples below:
> clear session all filter source 192.168.51.71
> clear session all filter destination 8.8.8.8
> clear session all filter application skype

After clearing the sessions, ensure they do not return by running the CLI command  ">show session all" again. Otherwise, please refer to and perform Step 2 above
 
  1. (Optional) Enable Accelerated Aging of Sessions
Navigate to Web UI: Device > Setup > Session > Session Settings (edit) >  Accelerated Aging (enable)
  • While Accelerated Aging can assist in lowering Session Table Utilization, Step 2 above is the preferred and recommended method of reducing Session Table Utilization.
  • Accelerated Aging should not be necessary and should only be used when Step 2 above did not resolve the issue.
  • For Information on configuring Accelerated Aging according to best practices, refer to Step 6 in Configure Session Settings and Session - Accelerated Aging
  1. Change Session Distribution Policy (multi-slot platforms only)
Using the CLI, run the command below:
> show session distribution policy
Ownership Distribution Policy: ingress-slot

> show session distribution statistics
DP     Active    Dispatched Dispatched/sec
------------------------------------------
s1dp0    78698    7829818   14513
s1dp1    78775    7831384   110
s3dp0    7796     736639    120
s3dp1    7707     737026    130

In the example above, most or all sessions were being load-balanced to a single slot and data plane (s1dp0) because the Session Distribution Policy was set to ingress-slot.

Once Session Distribution Policy was changed to round-robin, random, or session-load, the sessions were more evenly distributed across the four slots and DPs as seen below, thus reducing the Session Table Utilization (%) on each slot/DP.

> show session distribution statistics
DP     Active    Dispatched Dispatched/sec
------------------------------------------
s1dp0    78698    7829818   3547
s1dp1    78775    7831384   3898
s3dp0    7796     736639    3621
s3dp1    7707     737026    3542

More information on Session Distribution Policy can be found here.

 

Additional Information


For more information on sessions, volumetric DDoS attacks which commonly take up a high number of sessions, or to identify any traffic which is creating a high number of sessions (thus increasing session table utilization %), refer to the below documents:

Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000samTCAQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language