Packet Buffer Protection Based on Latency

Configure packet buffer protection based on CPU processing latency to mitigate congestion on hardware firewalls.
Beginning in PAN-OS 10.0, packet buffer protection based on packet buffer utilization is enabled by default on all firewalls globally and for each zone.
As an alternative to packet buffer protection based on utilization, you can now trigger packet buffer protection based on packet latency caused by dataplane packet buffering, which indicates congestion on the firewall. Such packet buffer protection alerts you to the congestion and performs random early drop (RED) on packets. Packet buffer protection based on latency can trigger the protection before latency-sensitive protocols or applications are affected.
If your traffic includes protocols or applications that are latency-sensitive, then packet buffer protection based on latency will be more helpful than packet buffer protection based on buffer utilization.
  1. Select
    Device
    Setup
    Session
    .
  2. Edit the Session Settings section and enable
    Packet Buffer Protection
    .
  3. Enable
    Buffering Latency Based
    .
  4. Enter the
    Latency Alert (milliseconds)
    threshold above which the firewall starts generating an Alert log event every minute; range is 1 to 20,000; default is 50.
  5. Enter the
    Latency Activate (milliseconds)
    threshold above which the firewall activates random early drop (RED) on incoming packets and starts generating an Activate log every 10 seconds; range is 1 to 20,000ms; default is 200ms.
  6. Enter the
    Latency Max Tolerate (milliseconds)
    threshold above which the firewall uses RED with close to 100% drop probability; range is 1 to 20,000ms; default is 500ms.
  7. Configure the
    Block Hold Time
    and
    Block Duration
    as for Packet Buffer Protection based on utilization.
  8. Click
    OK
    .
  9. Commit
    .

Recommended For You