Configure packet buffer protection based on CPU processing
latency to mitigate congestion on hardware firewalls.
Beginning in PAN-OS 10.0, packet buffer protection based
on packet buffer utilization is enabled by default on all firewalls
globally and for each zone.
As an alternative to packet buffer
protection based on utilization, you can now trigger packet buffer protection based
on packet latency caused by dataplane packet buffering, which
indicates congestion on the firewall. Such packet buffer protection
alerts you to the congestion and performs random early drop (RED)
on packets. Packet buffer protection based on latency can trigger
the protection before latency-sensitive protocols or applications
If your traffic includes protocols or applications
that are latency-sensitive, then packet buffer protection based
on latency will be more helpful than packet buffer protection based
on buffer utilization.
Edit the Session Settings section and enable
Buffering Latency Based
Latency Alert (milliseconds)
above which the firewall starts generating an Alert log event every
minute; range is 1 to 20,000; default is 50.
Latency Activate (milliseconds)
above which the firewall activates random early drop (RED) on incoming
packets and starts generating an Activate log every 10 seconds;
range is 1 to 20,000ms; default is 200ms.
Latency Max Tolerate (milliseconds)
above which the firewall uses RED with close to 100% drop probability;
range is 1 to 20,000ms; default is 500ms.