Packet Buffer Protection
Protect the firewall’s packet buffers from single-session
DoS attacks that attempt to take down the firewall.
Packet Buffer Protection defends your firewall and network
from single session DoS attacks that can overwhelm the firewall’s
packet buffer and cause legitimate traffic to drop. Although you
don’t configure Packet Buffer Protection in a Zone Protection profile
or in a DoS Protection profile or policy rule, Packet Buffer Protection
defends ingress zones. While zone and DoS protection apply to new
sessions (connections) and are granular, Packet Buffer Protection
applies to existing sessions and is global.
Global Packet Buffer Protection—The firewall monitors
sessions from all zones (regardless of whether Packet Buffer Protection
is enabled in a zone) and how those sessions utilize the packet
buffer. You must configure Packet Buffer Protection globally () to protect the firewall and
to enable it on individual zones. When packet buffer consumption
reaches the configured Activate percentage,
the firewall used Random Early Drop (RED) to drop packets from the
offending sessions (the firewall doesn’t drop complete sessions
at the global level).
Per-Zone Packet Buffer Protection—Enable Packet Buffer
Protection on each zone () to layer in a second
level of protection. When packet buffer consumption crosses the Activate threshold
and global protection begins to apply RED to session traffic, that
starts the Block Hold Time timer. The Block
Hold Time is the amount of time in seconds that the
offending session can continue before the firewall blocks the entire
session. The offending session remains blocked until the Block
Duration time expires.
If you don’t enable
Packet Buffer Protection globally, it won’t be active in zones until
you enable it globally.
Take baseline measurements of firewall packet buffer utilization
over a period of time until you’re comfortable that you understand
typical usage. Take measurements for at least one business week;
however, a longer measurement period provides a better baseline.
To see packet buffer utilization for a specified period of time,
use the operational CLI command:
admin1138@thxvm1>show running resource-monitor [day | hour | ingress-backlogs | minute | second | week]
The
CLI command provides a snapshot of buffer utilization for the specified
period of time, but is neither automated nor continuous. To automate
continuous packet buffer utilization measurements so you can monitor
changes in behavior and anomalous events, use a script. Your Palo
Alto Networks account team can provide a sample script that you
can modify to develop your own script; however, the script is not
officially supported and there is no technical support available
for script usage or modification.
If baseline measurements consistently show abnormally high packet
buffer utilization, then the firewall’s capacity may be undersized
for typical traffic loads. In this case, consider resizing the firewall
deployment. Otherwise, you need to tune the Packet Buffer Protection
thresholds carefully to prevent impacted buffers from overflowing
(and to prevent dropping legitimate traffic). When firewall sizing
is correct for the deployment, only an attack should cause a large
spike in buffer usage.
Overrunning the firewall packet buffer negatively impacts
the firewall’s packet forwarding capabilities. When the buffers
are full, no packets can enter the firewall on any interface, not
just the interface that experienced the attack.
The best practices for setting the thresholds are:
Alert and Activate—Start
with the default threshold values (50% in both cases), monitor packet
buffer utilization, and adjust the thresholds as necessary. If the
firewall is sized correctly, buffer utilization should be well below
50%. If the packet buffer utilization crosses Alert threshold,
the firewall creates an alert entry in the System log.
Block Hold Time—When packet buffer
utilization triggers the Activate threshold,
the Block Hold Time sets the amount of time
the offending session can continue before the firewall blocks the
session. During the Block Hold Time, the
firewall continues to apply RED to the packets of offending sessions.
Start with the default Block Hold Time threshold
value (60 seconds), monitor packet buffer utilization, and adjust
the threshold as necessary. If the packet buffer utilization percentage
falls below the Activate threshold before
the Block Hold Time expires, the timer resets
and doesn’t start until the Activate threshold
is crossed again. Increasing the Block Hold Time imposes
a greater penalty on offending sessions and reducing it imposes
a lesser penalty on offending sessions.
Block Duration—When the Block
Hold Time expires, the firewall blocks the offending
session for the period of time defined by the Block Duration.
Start with the default threshold value (3600 seconds), monitor packet
buffer utilization, and adjust the threshold as necessary. When
you enable Packet Buffer Protection on a zone, Block
Duration affects every session from the IP address even
if only one session from an IP address overutilizes the packet buffer.
If you believe that blocking an IP address for one hour (3600 seconds)
is too great a penalty, reduce the Block Duration to
an acceptable value.
In addition to monitoring the buffer utilization of individual
sessions, Packet Buffer Protection can also block an IP address
if certain criteria are met. While the firewall monitors the packet
buffers, if it detects a source IP address rapidly creating sessions
that would not individually be seen as an attack, it blocks that
IP address for the configured Block Duration.
Network Address Translation (NAT) (an
external source that has translated its internet-bound traffic using
source NAT) can give the appearance of greater packet buffer utilization
because of IP address translation activity. If this occurs, adjust
the thresholds in a way that penalizes individual sessions but doesn’t
penalize the underlying IP addresses (so other sessions from the
same IP address aren’t affected). To do this, reduce the
Block
Hold Time so the firewall blocks individual sessions
that overutilize the buffers faster, and reduce the
Block
Duration so that the underlying IP address is not unduly
penalized.