Packet Buffer Protection

Packet Buffer Protection Overview

Packet Buffer Protection defends your firewall and network from single session DoS attacks that can overwhelm the firewall’s packet buffer and cause legitimate traffic to drop. Although you don’t configure Packet Buffer Protection in a Zone Protection profile or in a DoS Protection profile or policy rule, Packet Buffer Protection defends ingress zones.

While zone and DoS protection apply to new sessions (connections) and are granular, Packet Buffer Protection applies to existing sessions and is global in its monitoring, with per-zone enforcement options.

Packet Buffer Protection involves two configuration levels:

Global Packet Buffer Protection: The firewall monitors sessions from all zones (regardless of whether Packet Buffer Protection is enabled in a zone) and how those sessions utilize the packet buffer. You must configure Packet Buffer Protection globally ( Device > Setup > Session Settings ) to protect the firewall and enable it on individual zones. When packet buffer consumption reaches the configured Activate percentage, the firewall uses Random Early Drop (RED) to drop packets from the offending sessions (the firewall doesn’t drop complete sessions at the global level).
Per-Zone Packet Buffer Protection: Enable Packet Buffer Protection on each zone ( Network > Zones ) to layer in a second level of protection. When packet buffer consumption crosses the Activate threshold (triggering global RED), the per-zone Block Hold Time timer starts for the offending session(s) in that zone. If the session continues to offend for the duration of the Block Hold Time, the firewall blocks the entire session . The offending session remains blocked until the Block Duration time expires.

You must enable Packet Buffer Protection globally in order for it to be active in zones.

There are two methods to trigger packet buffer protection:

Packet Buffer Protection Based on Buffer Utilization
Packet Buffer Protection Based on Latency

Protection Based on Buffer Utilization

Packet Buffer Protection based on buffer utilization is enabled by default. It monitors the percentage of the firewall's packet buffer being used.

Take baseline measurements of firewall packet buffer utilization over a significant period (at least one business week, preferably longer) to understand typical usage. Use the operational CLI command:

show running resource-monitor [day | hour | minute | second | week]

This command provides a snapshot. For continuous monitoring and anomaly detection, consider using an automated script (sample potentially available from Palo Alto Networks, but unsupported).

If baseline measurements consistently show abnormally high packet buffer utilization, the firewall might be undersized. Consider resizing the firewall deployment. Otherwise, carefully tune thresholds to prevent buffer overflow without dropping legitimate traffic.

Overrunning the firewall packet buffer negatively impacts the firewall’s packet forwarding capabilities for all traffic , as no packets can enter the firewall on any interface when buffers are full.

Buffer Utilization Thresholds

Best practices for setting thresholds:

Alert: Default 50%. When exceeded for >10 seconds, generates a System log every minute. Start with default, adjust based on baseline. If utilization is normally well below 50% (on a correctly sized firewall), this provides an early warning.
Activate: Default 80%. When reached, the firewall begins RED mitigation on the most abusive sessions (global action). Start with default, adjust based on baseline and capacity.
Block Hold Time: Default 60 seconds. Per-zone setting. Timer starts when the global Activate threshold is crossed. If the offending session continues for this duration, the entire session is blocked. If buffer usage drops below Activate before the timer expires, it resets. Increasing imposes a greater penalty; decreasing imposes less.
Block Duration: Default 3600 seconds (1 hour). Per-zone setting. Duration for which an offending session (or IP address, see below) is blocked after the Block Hold Time expires. Adjust if 1 hour is considered too long a penalty.

In addition to blocking individual sessions, Packet Buffer Protection can also block an entire IP address for the configured Block Duration if the firewall detects that source IP rapidly creating many small sessions that wouldn't individually trigger utilization limits but collectively strain the buffer.

Source Network Address Translation (NAT) can make a single external IP address appear responsible for high buffer utilization. If this occurs, consider reducing the Block Hold Time (to block abusive individual sessions faster) and reducing the Block Duration (to avoid penalizing the shared NAT IP for too long).

Protection Based on Latency

As an alternative to buffer utilization, you can trigger packet buffer protection based on packet latency introduced by dataplane buffering, which indicates congestion.

This method mitigates head-of-line blocking and can trigger protection before latency-sensitive protocols or applications (like VoIP or video conferencing) are noticeably affected. Use this method if your network carries significant latency-sensitive traffic.

Latency Thresholds

Packet buffer protection based on latency involves setting these thresholds:

Latency Alert: Threshold in milliseconds. When average packet latency exceeds this value, the firewall generates an Alert log event.
Latency Activate: Threshold in milliseconds. When average packet latency exceeds this value, the firewall activates RED on incoming packets and generates an Activate log.
Latency Max Tolerate: Threshold in milliseconds. When average packet latency exceeds this value, the firewall applies RED with almost 100% drop probability.

The Block Hold Time and Block Duration settings function the same way for latency-based protection as they do for utilization-based protection, determining when and for how long entire sessions are blocked at the zone level after the Latency Activate threshold is crossed.

Configuration Summary

Packet Buffer Protection requires configuration at two levels:

Global Configuration:
- Navigate to Device > Setup > Session Settings .
- Under "Packet Buffer Protection", choose either Utilization or Latency as the trigger.
- Configure the corresponding global thresholds ( Alert , Activate for utilization; Latency Alert , Latency Activate , Latency Max Tolerate for latency).
- Ensure the "Enable" checkbox for Packet Buffer Protection is checked globally.
Per-Zone Configuration:
- Navigate to Network > Zones .
- Select the zone you want to protect.
- Check the Enable Packet Buffer Protection box for this zone.
- Configure the zone-specific Block Hold Time (seconds).
- Configure the zone-specific Block Duration (seconds).
- Repeat for each ingress zone requiring this protection.

Remember, per-zone settings only take effect if Packet Buffer Protection is also enabled globally.

Start with default values for thresholds, monitor system logs and resource utilization, and tune the settings based on your network's specific baseline and requirements.

Diagrams

Packet Buffer Protection Flow (Utilization Based)

Illustrates the process for Packet Buffer Protection based on buffer utilization, showing global actions (alert, RED) and per-zone actions (block hold, block session).

Packet Buffer Protection Flow (Latency Based)

Illustrates the process for Packet Buffer Protection based on packet latency, showing global actions (alert, RED) and per-zone actions (block hold, block session).

Packet Buffer Protection Quiz

Test your understanding of Packet Buffer Protection. Select the best answer for each question.

1. What is the primary target of Packet Buffer Protection?

New incoming connection floods (SYN Floods). Existing sessions consuming excessive packet buffer resources. Reconnaissance scans targeting open ports. Malware propagation between zones.

Correct Answer: B. Packet Buffer Protection specifically defends against attacks where existing, established sessions overwhelm the firewall's packet buffer, distinct from Zone/DoS protection which primarily handles floods of new connection attempts. Relevance: PCNSE/PCNSA, Core Concept

2. Where must Packet Buffer Protection be enabled for per-zone settings to take effect?

Only on the specific zone. Globally (Device > Setup > Session Settings) AND on the specific zone. Globally only; per-zone settings are automatic. In the relevant DoS Protection Profile.

Correct Answer: B. Global enablement is mandatory for the feature to function. Per-zone enablement then allows for specific block hold/duration settings for that zone's traffic when global thresholds are met. Relevance: Critical, Gotcha

3. What action does the firewall take GLOBALLY when the Packet Buffer Utilization 'Activate' threshold is crossed?

Blocks the entire offending session immediately. Blocks the offending source IP address immediately. Applies Random Early Drop (RED) to packets from offending sessions. Sends an alert but takes no other action.

Correct Answer: C. The initial global response upon hitting the Activate threshold is to start dropping packets via RED from the sessions consuming the most buffer space. Blocking entire sessions is a per-zone action triggered later. Relevance: PCNSE/PCNSA, Core Concept

4. What is the purpose of the 'Block Hold Time' setting in per-zone Packet Buffer Protection?

The duration for which an IP address is blocked. The time an offending session can continue (while subject to global RED) before the entire session is blocked by the zone. The delay before the global 'Activate' threshold triggers RED. The minimum time a session must exist before being considered for PBP.

Correct Answer: B. The Block Hold Time is a grace period specific to the zone. Once global RED starts due to high buffer usage/latency, this timer begins for offending sessions in the zone. If the session continues to offend for this duration, the zone blocks the entire session. Relevance: PCNSE/PCNSA, Configuration Setting

5. Which operational CLI command is used to view recent resource monitor statistics, including packet buffer utilization?

show system resources show session info show running resource-monitor debug dataplane pool statistics

Correct Answer: C. The `show running resource-monitor` command provides historical data (day, hour, minute, etc.) for various resources, including packet buffer utilization percentage. Relevance: Important, CLI Command

6. When might using Packet Buffer Protection based on Latency be preferable to using it based on Buffer Utilization?

When the firewall is significantly undersized. When protecting against SYN floods specifically. When the network carries significant latency-sensitive traffic (e.g., VoIP, video). When source NAT is heavily used.

Correct Answer: C. Latency-based protection triggers mitigation based on packet delay, potentially activating before high buffer utilization significantly impacts real-time applications like VoIP or video conferencing. Relevance: Important, Use Case

7. What does the 'Latency Max Tolerate' threshold signify in latency-based Packet Buffer Protection?

The maximum latency allowed before an alert is generated. The point at which RED begins to be applied. The latency level at which RED operates with almost 100% drop probability. The maximum time a packet can spend in the buffer.

Correct Answer: C. This threshold represents the upper bound where packet latency is considered unacceptable, causing the firewall to apply the most aggressive RED packet dropping. Relevance: Configuration Setting

8. How can heavy use of source NAT impact Packet Buffer Protection based on utilization?

It prevents PBP from working correctly. It can make a single NAT IP appear responsible for high buffer usage, potentially leading to unfair blocking of the entire IP. It reduces buffer utilization, making PBP less likely to trigger. It forces the use of latency-based PBP instead.

Correct Answer: B. Many internal clients hiding behind one source NAT IP can collectively cause high buffer usage attributed to that single IP. If PBP blocks the IP based on rapid session creation or aggregate usage, it affects all users behind that NAT IP. Tuning Block Hold/Duration may be needed. Relevance: Gotcha, Interaction

9. If the packet buffer utilization drops below the 'Activate' threshold before the 'Block Hold Time' expires, what happens?

The session is blocked immediately. The Block Hold Timer continues until it expires. The Block Hold Timer resets, and the session is not blocked (unless the Activate threshold is crossed again). The Block Duration timer starts immediately.

Correct Answer: C. The Block Hold Timer is conditional on the Activate threshold remaining crossed. If the condition clears (buffer usage or latency drops), the timer resets, and the session avoids being blocked by the zone PBP for that instance. Relevance: Core Concept

10. Packet Buffer Protection is configured within which part of the PAN-OS interface?

Objects > Security Profiles > DoS Protection Policies > Security Network > Zone Protection Profile Device > Setup > Session Settings (Global) and Network > Zones (Per-Zone)

Correct Answer: D. Global settings are under Device > Setup > Session, while per-zone enablement and block timers are configured within each Zone object under Network > Zones. It's separate from DoS and Zone Protection profiles. Relevance: Configuration Location

11. What is the primary consequence if a firewall's packet buffers become completely full?

Only traffic on the attack-receiving interface is dropped. The firewall automatically reboots. No new packets can enter the firewall on ANY interface, potentially dropping legitimate traffic. CPU utilization spikes to 100%.

Correct Answer: C. A full packet buffer prevents the firewall from accepting any new incoming packets on any interface, leading to widespread traffic disruption, not just on the interface experiencing the attack. Relevance: Critical, Impact

12. Packet Buffer Protection primarily operates at which stage of traffic processing?

Before session lookup (ingress stage). During policy evaluation. After security processing, before egress. Tied to session state and buffer usage/latency for existing sessions.

Correct Answer: D. PBP monitors the resource consumption (buffer space or induced latency) of existing, established sessions and takes action based on that state, distinguishing it from protections applied at initial connection setup. Relevance: Core Concept

13. What is the default value for the Packet Buffer Utilization 'Activate' threshold?

50% 60% 80% 90%

Correct Answer: C. The default global Activate threshold for utilization-based PBP is 80%. Relevance: Default Value

14. Which action can Packet Buffer Protection take against a source IP address (not just a session)?

Apply RED only to packets from that IP. Block the IP address for the 'Block Duration' if it rapidly creates many small sessions. Force all traffic from that IP through extra inspection. PBP only acts on sessions, never on IP addresses directly.

Correct Answer: B. The documentation states PBP can block an IP address for the configured Block Duration if it detects the IP rapidly creating sessions, even if individual sessions aren't excessively large. Relevance: PCNSE/PCNSA, Feature Detail

15. What is the recommended first action when configuring PBP thresholds?

Set thresholds very low for maximum security. Disable PBP globally and enable it only on critical zones. Start with the default values, monitor, and adjust based on baseline measurements. Choose latency-based protection as it's always better.

Correct Answer: C. Palo Alto Networks generally recommends starting with default settings, establishing a baseline understanding of normal network behavior, and then carefully tuning thresholds if necessary. Relevance: Best Practice, Important

16. Does Packet Buffer Protection require a specific subscription license?

Yes, it requires the Threat Prevention license. Yes, it requires a dedicated DDoS Protection license. No, it is a core feature included in PAN-OS. Yes, it requires the GlobalProtect license.

Correct Answer: C. Packet Buffer Protection is a fundamental part of the PAN-OS platform's defense mechanisms and does not require an additional subscription license. Relevance: Licensing

17. When PBP blocks an entire session (per-zone action), what determines how long the session remains blocked?

The global 'Alert' threshold. The per-zone 'Block Hold Time'. The per-zone 'Block Duration'. The global 'Activate' threshold.

Correct Answer: C. After the 'Block Hold Time' expires for an offending session in a protected zone, the session is blocked for the length of time specified by the per-zone 'Block Duration' setting. Relevance: Configuration Setting

18. PBP helps mitigate "single session DoS attacks". What does this typically mean?

An attack using only the SYN packet. An attack originating from only one source IP address. An attack where one or a few established sessions send excessive data or requests to consume buffer resources. An attack targeting only TCP port 80.

Correct Answer: C. This refers to attacks that leverage already established connections to flood the firewall's buffers, rather than overwhelming it with new connection attempts. PBP is designed to detect and mitigate this behavior within existing sessions. Relevance: Core Concept

19. The global PBP 'Alert' threshold (utilization-based) requires the threshold to be exceeded for how long before logging an alert?

Instantly. More than 1 second. More than 10 seconds. More than 60 seconds.

Correct Answer: C. The documentation specifies that for the utilization-based Alert threshold, the condition must persist for more than 10 seconds before the firewall generates the System log entry. Relevance: Feature Detail

20. Is Packet Buffer Protection configured within a Zone Protection Profile?

Yes, it's a tab within the Zone Protection Profile settings. No, it's configured globally and optionally per zone, separate from Zone Protection Profiles. Yes, but only if DoS Protection is also enabled in the profile. No, it replaces the need for a Zone Protection Profile.

Correct Answer: B. Packet Buffer Protection is distinct from Zone Protection Profiles. It's managed globally under Session Settings and enabled per Zone object, not within the profile applied to the zone. Relevance: Configuration Location, Core Concept

Please answer all questions before submitting.