/
Configuring Thresholds for RPZ Hit Rate
Document toolboxDocument toolbox

Configuring Thresholds for RPZ Hit Rate

Owned by Shwetha S (Deactivated)
Jul 04, 2024

When the RPZ hit rate, which is the ratio of the number of queries that result in modifying the genuine response due to RPZ rules to the total number of incoming queries is high, it is unexpected and might warrant your attention. Note that the queries that hit passthru RPZ rules are not considered for the RPZ hit rate. You can configure thresholds for RPZ hit rate, above which the appliance makes a syslog entry and sends alerts as SNMP traps and email notifications. Note that you must enable notifications in order for the appliance to send SNMP traps and email notifications. For information about setting the SNMP trap and email notifications, see Setting SNMP and Email Notifications.

Note that the appliance calculates the RPZ hit rate globally for all DNS views and sometimes the RPZ hit rate might be misleading. For example, if there are multiple DNS views with or without RPZ rules, there is a possibility that some DNS views might receive a substantial number of normal queries, obscuring the possible high RPZ hit rate in the other DNS views. Also, when the DNS server is configured for both authoritative and recursive queries, it is possible that the authoritative zones receive a substantial number of queries for which RPZ rules are not considered. It might make the resulting RPZ hit rate normal even if there is an excessive number of hit for recursive queries.

To configure the thresholds for RPZ hit rate:

  1. Grid: From the Grid tab, select the Grid Manager tab, and then select Grid Properties -> Edit from the Toolbar. Member: From the Grid tab, select the Grid Manager -> Members tab -> member, and then click the Edit icon.
  2. In the Grid Properties or Grid Member Properties editor, click Toggle Advanced Mode, and then select the SNMP Threshold tab.
  3. Complete the following in the Response Policy Zones Hit Rate Configuration section of the SNMP Threshold tab.
    • RPZ Hit Rate: Click Override to override the inherited settings, and specify the following:
      • Trigger %: Enter the Trigger value between 0 and 100. If the RPZ hit rate equals the Trigger value, the appliance logs a syslog entry and — if configured to do so — sends an SNMP trap and an email notification. The default Trigger value is 10%.
      • Reset %: Enter the Reset value between 0 and 100. If the RPZ hit rate equals the Reset value, the appliance logs a syslog entry and — if configured to do so — sends an SNMP trap and an email notification, to notify that the RPZ hit rate has gone back to an acceptable level. The default Reset value is 2%.
    • Interval: Enter the time interval that determines when the appliance starts calculating the RPZ hit rate. You can enter a value between 1 and 86400. The default value is 10 seconds. At the end of each interval, if the number of incoming queries equals or exceeds the Minimum query value, the appliance calculates the RPZ hit rate and if the RPZ hit rate exceeds the Trigger value, the appliance sends notifications and continues to send notifications at the end of subsequent intervals, until the RPZ hit rate equals the Reset value.
      Note that the appliance calculates the RPZ hit rate at the end of each Interval or when the number of incoming queries reach the Maximum query value, whichever comes sooner.
    • Minimum query: Specify the minimum number of queries received between the RPZ hit rate checks. The default value is 1000. The appliance calculates the RPZ hit rate when the number of incoming queries equals or exceeds the Minimum query value at the end of the Interval. If the total number of incoming queries is less than the Minimum query value, the appliance skips the RPZ hit rate check and the query count continues to cumulate into subsequent intervals until the Minimum query is met.
    • Maximum query: Specify the maximum number of queries received between the RPZ hit rate checks. The default value is 100000. When the number of incoming queries equals or exceeds this value, the appliance calculates the RPZ hit rate and does not wait for the expiration of the Interval.

4. Save the configuration and click Restart if it appears at the top of the screen.