Configure Packet Buffer Protection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Packet Buffer Protection
You can configure Packet
Buffer Protection at two levels: the device level (global)
and if enabled globally, you can also enable it at the zone level.
Global packet buffer protection (DeviceSetupSession)
is to protect firewall resources and ensure that malicious traffic
does not cause the firewall to become non-responsive.
Packet
buffer protection per ingress zone (NetworkZones) is a second layer of
protection that starts blocking the offending IP address if it continues
to exceed the packet buffer protection thresholds. The firewall
can block all traffic from the offending source IP address. Keep
in mind that if the source IP address is a translated NAT IP address,
many users can be using the same IP address. If one abusive user
triggers packet buffer protection and the ingress zone has packet
buffer protection enabled, all traffic from that offending source
IP address (even from non-abusive users) can be blocked when the
firewall puts the IP address on its block list.
The most effective
way to block DoS attacks against a service behind the firewall is
to configure packet buffer protection globally and per ingress zone.
You
can Enable Packet Buffer Protection for a
zone, but it is not active until you enable packet buffer protection
globally and specify the settings.
- Enable packet buffer protection globally.
- Select DeviceSetupSession and edit the Session Settings.Select Packet Buffer Protection.Define the packet buffer protection behavior:
- Alert (%)—When packet buffer utilization exceeds this threshold for more than 10 seconds, the firewall creates a log event every minute. Range s 0% to 99%; default is 50%. If the value is 0%, the firewall does not create a log event.
- Activate (%)—When packet buffer utilization reaches this threshold, the firewall begins to mitigate the most abusive sessions by applying random early drop (RED). Range is 0% to 99%; default is 50%. If the value is 0%, the firewall does not apply RED. If the abuser is ingressing a zone that has Packet Buffer Protection enabled, the firewall can also discard the abusive session or block the offending source IP address. Start with the default threshold and adjust it if necessary.The firewall records alert events in the System log, and records events for dropped traffic, discarded sessions, and blocked IP address in the Threat log.
- Block Hold Time (sec)—Number of seconds a RED-mitigated session is allowed to continue before the firewall discards it. Range is 0 to 65,535; default is 60. If the value is 0, the firewall does not discard sessions based on packet buffer protection.
- Block Duration (sec)—Number of seconds a session remains discarded or an IP address remains blocked. Range is 1 to 15,999,999; default is 3,600.
Click OK.Commit your changes.Enable additional packet buffer protection on an ingress zone.- Select NetworkZones.Choose an ingress zone and click on its name.Enable Packet Buffer Protection in the Zone Protection section.Click OK.Commit your changes.