: Packet Buffer Protection Based on Latency
Focus
Focus

Packet Buffer Protection Based on Latency

Table of Contents
End-of-Life (EoL)

Packet Buffer Protection Based on Latency

Configure packet buffer protection based on CPU processing latency to mitigate congestion on hardware firewalls.
Beginning in PAN-OS 10.0, packet buffer protection based on packet buffer utilization is enabled by default on all firewalls globally and for each zone.
As an alternative to packet buffer protection based on utilization, you can now trigger packet buffer protection based on packet latency caused by dataplane packet buffering, which indicates congestion on the firewall. Such packet buffer protection alerts you to the congestion and performs random early drop (RED) on packets. Packet buffer protection based on latency can trigger the protection before latency-sensitive protocols or applications are affected.
If your traffic includes protocols or applications that are latency-sensitive, then packet buffer protection based on latency will be more helpful than packet buffer protection based on buffer utilization.
  1. Select DeviceSetupSession.
  2. Edit the Session Settings section and enable Packet Buffer Protection.
  3. Enable Buffering Latency Based.
  4. Enter the Latency Alert (milliseconds) threshold above which the firewall starts generating an Alert log event every minute; range is 1 to 20,000; default is 50.
  5. Enter the Latency Activate (milliseconds) threshold above which the firewall activates random early drop (RED) on incoming packets and starts generating an Activate log every 10 seconds; range is 1 to 20,000ms; default is 200ms.
  6. Enter the Latency Max Tolerate (milliseconds) threshold above which the firewall uses RED with close to 100% drop probability; range is 1 to 20,000ms; default is 500ms.
  7. Configure the Block Hold Time and Block Duration as for Packet Buffer Protection based on utilization.
  8. Click OK.
  9. Commit.