Configure Packet Buffer Protection
You configure Packet Buffer Protection settings globally and then apply them per ingress zone. When the firewall detects high buffer utilization, the firewall only monitors and takes action against sessions from zones with packet buffer protection enabled. Therefore, if the abusive session is from a zone without packet buffer protection, the high packet buffer utilization continues. Packet buffer protection can be applied to a zone but it is not active until global settings are configured and enabled.
- Configure the global session thresholds.
- Select DeviceSetupSession.
- Edit the Session Settings.
- Select the Packet Buffer Protection check box to enable and configure the packet buffer protection thresholds.
- Enter a value for each threshold and timer to define
the packet buffer protection behavior.
- Alert (%)—When packet buffer utilization exceeds this threshold for more than 10 seconds, the firewall creates a log event every minute. The firewall generates log events when packet buffer protection is enabled globally. The default threshold is 50% and the range is 0% to 99%. If the value is 0%, the firewall does not create a log event.
- Activate (%)—When a packet buffer utilization exceeds this threshold, the firewall applies RED to abusive sessions. The default threshold is 50% and the range is 0% to 99%. If the value is 0%, the firewall does not apply RED.The firewall records alert events in the System log and events for dropped traffic, discarded sessions, and blocked IP address in the Threat log.
- Block Hold Time (sec)—The amount of time a RED-mitigated session is allowed to continue before the firewall discards it. By default, the block hold time is 60 seconds. The range is 0 to 65,535 seconds. If the value is 0, the firewall does not discard sessions based on packet buffer protection.
- Block Duration (sec)—This setting defines how long a session remains discarded or an IP address remains blocked. The default is 3,600 seconds with a range of 1 seconds to 15,999,999 seconds.
- Click OK.
- Commit your changes.
- Enable packet buffer protection on an ingress zone.
- Select NetworkZones.
- Choose an ingress zone and click on its name.
- Select the Enable Packet Buffer Protection check box in the Zone Protection section.
- Click OK.
- Commit your changes.
Session Settings The following table describes session settings. Session Settings Description Rematch Sessions Click Edit and select Rematch Sessions to cause the firewall to apply ...
Configure Session Settings
Configure Session Settings This topic describes various settings for sessions other than timeouts values. Perform these tasks if you need to change the default settings. ...
Packet Buffer Protection
Protect the firewall’s packet buffers from single-session DoS attacks that attempt to take down the firewall. ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
How Do the Zone Defense Tools Work?
Zone defense tools work together to form layers of DoS protection for your network. ...
Zone Defense Tools
Use a layered approach with multiple levels of protection to defend your network against DoS attacks. ...
Custom PAN-OS Metrics Published for Monitoring
PAN-OS® metrics published to public cloud monitoring systems such as AWS® CloudWatch, Azure® Application Insights, and Google® Stackdriver. ...
Building Blocks of Security Zones
Building Blocks of Security Zones To define a security zone, click Add and specify the following information. Security Zone Settings Description Name Enter a zone ...
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...