When a firewall exhibits signs of resource depletion, it might be experiencing an attack that is sending an overwhelming number of packets. In such events, the firewall starts buffering inbound packets. Now you can quickly identify the sessions that are using an excessive percentage of the packet buffer and mitigate their impact by discarding them.
Identify Sessions That Use an Excessive Percentage of the Packet Buffer
Perform the following task on any hardware-based firewall platform (not a VM-Series firewall) to identify the packet buffer percentage used, the top five sessions using more than two percent of the packet buffer, and the source IP addresses associated with those sessions; this information allows you to take appropriate actions.
View Firewall Resource Usage, Top Sessions, and Session Details
View firewall resource usage, top sessions, and session details. Execute the following operational command in the CLI (sample output from the command follows): admin@PA-7050> show running resource-monitor ingress-backlogs -- SLOT:s1, DP:dp1 -- USAGE - ATOMIC: 92% TOTAL: 93% TOP SESSIONS:SESS-ID PCT GRP-ID COUNT6 92% 1 156 7 1732 SESSION DETAILS SESS-ID PROTO SZONE SRC SPORT DST DPORT IGR-IF EGR-IF APP6 6 trust 192.168.2.35 55653 10.1.8.89 80 ethernet1/21 ethernet1/22 undecided The command displays a maximum of the top five sessions that each use 2% or more of the packet buffer. To restrict the display output: On a PA-7000 Series platform, you can limit output to a slot, a dataplane, or both. For example: admin@PA-7050> show running resource-monitor ingress-backlogs slot s1 admin@PA-7050> show running resource-monitor ingress-backlogs slot s1 dp dp1 On a PA-5000 Series platform, you can limit output to a dataplane. For example: admin@PA-5060> show running resource-monitor ingress-backlogs dp dp1
Use the command output to determine whether the source at the source IP address using a high percentage of the packet buffer is sending legitimate or attack traffic. In the sample output above, a single-session attack is likely occurring. A single session (Session ID 6) is using 92% of the packet buffer for Slot 1, DP 1, and the application at that point is undecided . If you determine a single user is sending an attack and the traffic is not offloaded, you can Use the CLI to End a Single Attacking Session. At a minimum, you can Configure DoS Protection Against Flooding of New Sessions. On a hardware platform that has a field-programmable gate array (FPGA), the firewall offloads traffic to the FPGA when possible to increase performance. However, if the traffic is offloaded to hardware, clearing the session does not help because then the software must handle the barrage of packets. You should instead Discard a Session Without a Commit. To see whether a session is offloaded or not, use the show session id <session-id> operational command in the CLI as shown in the following example. The layer7 processing value indicates completed for sessions offloaded or enabled for sessions not offloaded.
Discard a Session Without a Commit
Perform this task to permanently discard a session, such as a session that is overloading the packet buffer. No commit is required; the session is discarded immediately after executing the command. The commands apply to both offloaded and non-offloaded sessions.
Discard a Session Without a Commit
In the CLI, execute the following operational command on any hardware platform. admin@PA-7050> request session-discard [timeout <seconds>] [reason <reason-string>] id <session-id>
Verify that sessions that have been discarded. admin@PA-7050> show session all filter state discard

Related Documentation