You can configure
Packet
Buffer Protection at two levels: the device level (global)
and if enabled globally, you can also enable it at the zone level.
Global packet buffer protection ()
is to protect firewall resources and ensure that malicious traffic
does not cause the firewall to become non-responsive.
Packet
buffer protection per ingress zone () is a second layer of
protection that starts blocking the offending IP address if it continues
to exceed the packet buffer protection thresholds. The firewall
can block all traffic from the offending source IP address. Keep
in mind that if the source IP address is a translated NAT IP address,
many users can be using the same IP address. If one abusive user
triggers packet buffer protection and the ingress zone has packet
buffer protection enabled, all traffic from that offending source
IP address (even from non-abusive users) can be blocked when the
firewall puts the IP address on its block list.
The most effective
way to block DoS attacks against a service behind the firewall is
to configure packet buffer protection globally and per ingress zone.
You
can Enable Packet Buffer Protection for a
zone, but it is not active until you enable packet buffer protection
globally and specify the settings.