Packet Buffer Protection

Packet buffer protection allows you to protect your firewall and network from single session DoS attacks that can overwhelm the firewall’s packet buffer and cause legitimate traffic to drop. Although you don’t Configure Packet Buffer Protection in a zone protection profile or in a DoS protection profile or policy rule, packet buffer protection defends zones and you enable it when you configure or edit a zone (
Network
Zones
).
When you enable packet buffer protection, the firewall monitors sessions from all zones and how each session utilizes the packet buffer. If a session exceeds a configured percentage of packet buffer utilization and traverses an ingress zone with packet buffer protection enabled, then the firewall takes action against that session. The firewall begins by creating an alert log in the System log when a session reaches the first threshold. If a session reaches the second threshold, the firewall mitigates the abuse by implementing Random Early Drop (RED) to throttle the session. If the firewall cannot reduce packet buffer utilization using RED, the Block Hold Time timer begins counting down. When the timer expires, the firewall takes additional mitigation steps (session discard or IP block). The block duration defines how long a session remains discarded or an IP address remains blocked after reaching the block hold time.
In addition to monitoring the buffer utilization of individual sessions, packet buffer protection can also block an IP address if certain criteria are met. While the firewall monitors the packet buffers, if it detects a source IP address rapidly creating sessions that would not individually be seen as an attack, it blocks that IP address.
VM-Series firewalls do not support packet buffer protection.

Related Documentation