Packet Buffer Protection is a vital PAN-OS (Palo Alto Networks Next-Generation Firewall) feature  designed to shield your firewall and network from single session Distributed Denial of Service (DDoS) attacks that could overwhelm the firewall’s packet buffer, leading to the dropping of legitimate traffic. This feature operates beyond the configurations set in Zone Protection or DoS Protection profiles, specifically defending ingress zones.

Configuration

This feature is configured at two separate levels – globally, to secure the entire firewall and on each zone to protect them one by one:

Global Packet Buffer Protection – involves monitoring all sessions across zones to observe how they utilize the packet buffer, irrespective of individual zone settings. To activate this feature, it must be configured globally under Device -> Setup -> Session Settings. Once the packet buffer consumption reaches the preset Activate percentage, the firewall employs a Random Early Drop (RED) technique to discard packets from offending sessions, rather than dropping the sessions entirely.

Per-Zone Packet Buffer Protection – adds a layered defense by enabling Packet Buffer Protection on each specific zone via Network -> Zones. Upon exceeding the Activate threshold, and once global protection initiates RED on session traffic, this triggers the Block Hold Time. This timer dictates the duration an offending session continues before the firewall blocks the session entirely, with the session remaining blocked until the expiry of the Block Duration.

Monitoring and Management

Packet Buffer Protection, by default based on buffer utilization, requires initial baseline measurements of the firewall’s packet buffer usage over a sustained period. This assessment, ideally conducted over at least one business week, helps in understanding typical buffer usage patterns. These measurements can be taken using the operational CLI command:

show running resource-monitor [day | hour | ingress-backlogs | minute | second | week]

Although the CLI command offers a snapshot for the specified period, it is not automated. For ongoing, automated monitoring, a script can be utilized. While your Palo Alto Networks account team can provide a sample script for customization, please note that there is no official support for script modification or troubleshooting.

Should baseline measurements consistently indicate unusually high packet buffer utilization, it may suggest that the firewall’s capacity is not adequately sized for the typical traffic load, necessitating a possible resizing of the firewall deployment. Careful tuning of Packet Buffer Protection thresholds is essential to avoid buffer overflow and prevent the dropping of legitimate traffic.

Best Practices

Current recommendations for setting up the thresholds are as follows:

• Alert and Activate: Initiate with default values, monitoring the packet buffer utilization and adjusting thresholds as necessary. The Alert threshold is preset to 50%, generating a system log alert every minute if exceeded for more than ten seconds. The Activate threshold starts at 80%, which tells the firewall to mitigate the most offending sessions
• Block Hold Time: This sets the duration an offending session may continue post-activation threshold trigger. Starting with a default value of 60 seconds, this can be adjusted based on ongoing buffer utilization monitoring. The timer resets if the utilization falls below the Activate threshold before the Block Hold Time ends
• Block Duration: Determines the time an offending session is blocked post-Block Hold Time expiry, starting at 3600 seconds (one hour) by default. If this duration is deemed too restrictive, it may be reduced accordingly

As another option to utilizing packet buffer protection based on buffer utilization, you can activate this feature based on packet latency due to dataplane buffering, signaling congestion on the firewall. By detecting and responding to latency early, this approach ensures that latency-sensitive protocols or applications remain unaffected.

In summary, the Packet Buffer Protection feature provides robust defense mechanisms against potential DDoS threats, ensuring your network remains secure and operational without sacrificing legitimate traffic. Proper configuration and monitoring are crucial to leverage the full benefits of this protective feature.