Configure Packet Buffer Protection
Focus
Focus

Configure Packet Buffer Protection

Table of Contents

Configure Packet Buffer Protection

You can configure Packet Buffer Protection at two levels: the device level (global) and if enabled globally, you can also enable it at the zone level. Global packet buffer protection (DeviceSetupSession) is to protect firewall resources and ensure that malicious traffic does not cause the firewall to become non-responsive.
Packet buffer protection per ingress zone (NetworkZones) is a second layer of protection that starts blocking the offending IP address if it continues to exceed the packet buffer protection thresholds. The firewall can block all traffic from the offending source IP address. Keep in mind that if the source IP address is a translated NAT IP address, many users can be using the same IP address. If one abusive user triggers packet buffer protection and the ingress zone has packet buffer protection enabled, all traffic from that offending source IP address (even from non-abusive users) can be blocked when the firewall puts the IP address on its block list.
The most effective way to block DoS attacks against a service behind the firewall is to configure packet buffer protection globally and per ingress zone.
You can Enable Packet Buffer Protection for a zone, but it is not active until you enable packet buffer protection globally and specify the settings.
In PAN-OS 11.2.3 and later versions, you can also configure packet buffer protection based on latency alongside these settings.
  1. Enable packet buffer protection globally.
    1. Select DeviceSetupSession and edit the Session Settings.
    2. Select Packet Buffer Protection.
    3. Define the packet buffer protection behavior:
      • Alert (%)—When packet buffer utilization exceeds this threshold for more than 10 seconds, the firewall creates a log event every minute. Range s 0% to 99%; default is 50%. If the value is 0%, the firewall does not create a log event.
      • Activate (%)—When packet buffer utilization reaches this threshold, the firewall begins to mitigate the most abusive sessions by applying random early drop (RED). Range is 0% to 99%; default is 50%. If the value is 0%, the firewall does not apply RED. If the abuser is ingressing a zone that has Packet Buffer Protection enabled, the firewall can also discard the abusive session or block the offending source IP address. Start with the default threshold and adjust it if necessary.
        The firewall records alert events in the System log, and records events for dropped traffic, discarded sessions, and blocked IP address in the Threat log.
      • Block Countdown Threshold (%)—The buffer utilization percentage that starts the countdown to discard or block offending traffic. When buffer congestion reaches the Block Countdown Threshold threshold, Block Hold Time begins to decrement. (When the block hold time runs out, the firewall discards sessions or blocks offending hosts.); default is 80%.
      • Block Hold Time (sec)—Number of seconds a RED-mitigated session is allowed to continue before the firewall discards it. Range is 0 to 65,535; default is 60. If the value is 0, the firewall does not discard sessions based on packet buffer protection.
      • Block Duration (sec)—Number of seconds a session remains discarded or an IP address remains blocked. Range is 1 to 15,999,999; default is 3,600.
    4. Click OK.
    5. Commit your changes.
  2. Enable additional packet buffer protection on an ingress zone.
    1. Select NetworkZones.
    2. Choose an ingress zone and click on its name.
    3. Enable Packet Buffer Protection in the Zone Protection section.
    4. Click OK.
    5. Commit your changes.