Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend

When researching my book I dug into the APCL Limit feature, trying to find a way to disable APCL limits "on the fly" for testing purposes or to monitor real-time statistics for packets dropped due to a Limit.  The goal was to ensure an enforced Limit was not the cause of poor performance.  Other than the statistics that are included in the traffic logs as demonstrated by Danny Jung‌ above, there isn't a direct way to do that.  I also discovered that APCL/URLF cannot be disabled "on the fly" like Threat Prevention can with fw amw unload.

However fw ctl zdebug drop will show real-time packet drops due to an APCL limit with the message: PSL Drop: APPI_LIMIT

Also watch out for this issue when limits are applied to traffic subject to HTTPS Inspection:

sk70600: Connectivity issues when configuring Application Control limit and enabling HTTPS Inspectio...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Who rated this post