Identify Sessions That Use an Excessive Percentage of the Packet Buffer
When a firewall exhibits signs of resource depletion, it might be experiencing an attack that is sending an overwhelming number of packets. In such events, the firewall starts buffering inbound packets. You can quickly identify the sessions that are using an excessive percentage of the packet buffer and mitigate their impact by discarding them.
Perform the following task on any hardware-based firewall model (not a VM-Series firewall) to identify, for each slot and dataplane, the packet buffer percentage used, the top five sessions using more than two percent of the packet buffer, and the source IP addresses associated with those sessions. Having that information allows you to take appropriate action.
- View firewall resource usage, top sessions, and
session details. Execute the following operational command in the
CLI (sample output from the command follows):
admin@PA-7050> show running resource-monitor ingress-backlogs -- SLOT:s1, DP:dp1 -- USAGE - ATOMIC: 92% TOTAL: 93% TOP SESSIONS:SESS-ID PCT GRP-ID COUNT 6 92% 1 156 7 1732 SESSION DETAILS SESS-ID PROTO SZONESRC SPORT DST DPORT IGR-IF EGR-IF APP 6 6 trust 192.168.2.35 55653 10.1.8.89 80 ethernet1/21 ethernet1/22 undecidedThe command displays a maximum of the top five sessions that each use 2% or more of the packet buffer.The sample output above indicates that Session 6 is using 92% of the packet buffer with TCP packets (protocol 6) coming from source IP address 192.168.2.35.
To restrict the display output:On a PA-7000 Series model only, you can limit output to a slot, a dataplane, or both. For example:
- SESS-ID—Indicates the global session ID that is used in all other show session commands. The global session ID is unique within the firewall.
- GRP-ID—Indicates an internal stage of processing packets.
- COUNT—Indicates how many packets are in that GRP-ID for that session.
- APP—Indicates the App-ID extracted from the Session information, which can help you determine whether the traffic is legitimate. For example, if packets use a common TCP or UDP port but the CLI output indicates an APP of undecided, the packets are possibly attack traffic. The APP is undecided when Application IP Decoders cannot get enough information to determine the application. An APP of unknown indicates that Application IP Decoders cannot determine the application; a session of unknown APP that uses a high percentage of the packet buffer is also suspicious.
admin@PA-7050> show running resource-monitor ingress-backlogs slot s1 admin@PA-7050> show running resource-monitor ingress-backlogs slot s1 dp dp1On PA-5000 Series, PA-5200 Series, and PA-7000 Series models only, you can limit output to a dataplane. For example:
admin@PA-5060> show running resource-monitor ingress-backlogs dp dp1
- Use the command output to determine whether the source
at the source IP address using a high percentage of the packet buffer
is sending legitimate or attack traffic.In the sample output above, a single-session attack is likely occurring. A single session (Session ID 6) is using 92% of the packet buffer for Slot 1, DP 1, and the application at that point is undecided.
To see whether a session is offloaded or not, use the show session id <session-id> operational command in the CLI as shown in the following example. The layer7 processing value indicates completed for sessions offloaded or enabled for sessions not offloaded.
- If you determine a single user is sending an attack and the traffic is not offloaded, you can End a Single Session DoS Attack. At a minimum, you can Configure DoS Protection Against Flooding of New Sessions.
- On a hardware model that has a field-programmable gate array (FPGA), the firewall offloads traffic to the FPGA when possible to increase performance. If the traffic is offloaded to hardware, clearing the session does not help because then it is the software that must handle the barrage of packets. You should instead Discard a Session Without a Commit.
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...
Discard a Session Without a Commit
Discard a Session Without a Commit Perform this task to permanently discard a session, such as a session that is overloading the packet buffer. No ...
Packet Buffer Protection
Protect the firewall’s packet buffers from single-session DoS attacks that attempt to take down the firewall. ...
Disable Hardware Offload
Disable Hardware Offload Packet captures for traffic passing through the network data ports on a Palo Alto Networks firewall are performed by the dataplane CPU. ...
Custom PAN-OS Metrics Published for Monitoring
PAN-OS® metrics published to public cloud monitoring systems such as AWS® CloudWatch, Azure® Application Insights, and Google® Stackdriver. ...
Detailed Device Health in Panorama
Description of the Detailed Device View for device monitoring on Panorama™. ...
Change the Session Distribution Policy and View Statistics
Change the Session Distribution Policy and View Statistics The following table describes how to view and change the active Session Distribution Policies and describes how ...
Monitor Block List
Monitor Block List There are two ways you can cause the firewall to place an IP address on the block list: Configure a Vulnerability Protection ...
Configure Session Settings
Configure Session Settings This topic describes various settings for sessions other than timeouts values. Perform these tasks if you need to change the default settings. ...