Packet buffer protection allows you to protect your
firewall and network from single session DoS attacks that can overwhelm
the firewall’s packet buffer and cause legitimate traffic to drop.
Although you don’t Configure Packet Buffer Protection in a zone
protection profile or in a DoS protection profile or policy rule,
packet buffer protection defends zones and you enable it when you
configure or edit a zone (
When you enable packet buffer protection, the firewall monitors
sessions from all zones and how each session utilizes the packet
buffer. If a session exceeds a configured percentage of packet buffer
utilization and traverses an ingress zone with packet buffer protection
enabled, then the firewall takes action against that session. The
firewall begins by creating an alert log in the System log when
a session reaches the first threshold. If a session reaches the
second threshold, the firewall mitigates the abuse by implementing
Random Early Drop (RED) to throttle the session. If the firewall
cannot reduce packet buffer utilization using RED, the Block Hold
Time timer begins counting down. When the timer expires, the firewall
takes additional mitigation steps (session discard or IP block).
The block duration defines how long a session remains discarded
or an IP address remains blocked after reaching the block hold time.
In addition to monitoring the buffer utilization of individual
sessions, packet buffer protection can also block an IP address
if certain criteria are met. While the firewall monitors the packet
buffers, if it detects a source IP address rapidly creating sessions
that would not individually be seen as an attack, it blocks that
VM-Series firewalls do not support packet buffer protection.