Packet Buffer Protection

To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure packet buffer protection. Packet buffer protection settings are configured globally and then applied per ingress zone. The firewall monitors how sessions utilize the packet buffer and then takes action against the session if it exceeds a configured percentage of utilization. As the various thresholds are met, the firewall takes increasingly severe action against the offending session or IP address.
In addition to monitoring the buffer utilization of individual sessions, packet buffer protection can also block an IP address if certain criteria are met. While the firewall monitors the packet buffers, if it detects a source IP address rapidly creating sessions that would not individually be seen as an attack, action is taken against that address.
  1. Configure the global Packet Buffer Protection thresholds by selecting DeviceSetupSessions and Editing the session settings.
    pbp_session_settings.png
  2. Enable Packet Buffer Protection on an ingress zone by selecting NetworkZones and clicking the name of a zone.
    pbp_zone_enable.png

Related Documentation