When a firewall exhibits signs of resource
depletion, it might be experiencing an attack that is sending an
overwhelming number of packets. In such events, the firewall starts
buffering inbound packets. You can quickly identify the sessions
that are using an excessive percentage of the on-chip packet descriptor
and mitigate their impact by discarding them.
Perform the
following task on any hardware-based firewall model (not a VM-Series
firewall) to identify, for each slot and dataplane, the on-chip
packet descriptor percentage used, the top five sessions using more
than two percent of the on-chip packet descriptor, and the source
IP addresses associated with those sessions. Having that information
allows you to take appropriate action.