You can configure Packet
Buffer Protection at two levels: the device level (global)
and if enabled globally, you can also enable it at the zone level.
Global packet buffer protection (
is to protect firewall resources and ensure that malicious traffic
does not cause the firewall to become non-responsive.
buffer protection per ingress zone (
) is a second layer of
protection that starts blocking the offending IP address if it continues
to exceed the packet buffer protection thresholds. The firewall
can block all traffic from the offending source IP address. Keep
in mind that if the source IP address is a translated NAT IP address,
many users can be using the same IP address. If one abusive user
triggers packet buffer protection and the ingress zone has packet
buffer protection enabled, all traffic from that offending source
IP address (even from non-abusive users) can be blocked when the
firewall puts the IP address on its block list.
The most effective
way to block DoS attacks against a service behind the firewall is
to configure packet buffer protection globally and per ingress zone.
Enable Packet Buffer Protection
zone, but it is not active until you enable packet buffer protection
globally and specify the settings.
Enable packet buffer protection globally.
edit the Session Settings.
Packet Buffer Protection
Define the packet buffer protection behavior:
—When packet buffer utilization
exceeds this threshold for more than 10 seconds, the firewall creates
a log event every minute. Range s 0% to 99%; default is 50%. If
the value is 0%, the firewall does not create a log event.
—When packet buffer utilization reaches
this threshold, the firewall begins to mitigate the most abusive
sessions by applying random early drop (RED). Range is 0% to 99%;
default is 50%. If the value is 0%, the firewall does not apply RED.
If the abuser is ingressing a zone that has Packet Buffer Protection
enabled, the firewall can also discard the abusive session or block
the offending source IP address. Start with the default threshold
and adjust it if necessary.
The firewall records alert
events in the System log, and records events for dropped traffic,
discarded sessions, and blocked IP address in the Threat log.
Block Hold Time (sec)
—Number of seconds a RED-mitigated
session is allowed to continue before the firewall discards it.
Range is 0 to 65,535; default is 60. If the value is 0, the firewall
does not discard sessions based on packet buffer protection.
Block Duration (sec)
—Number of seconds a session remains discarded
or an IP address remains blocked. Range is 1 to 15,999,999; default
Enable additional packet buffer protection on an ingress