Packet Buffer Protection Based on Latency
Table of Contents
Packet Buffer Protection Based on Latency
Configure packet buffer protection based on CPU processing
latency to mitigate congestion on hardware firewalls.
Beginning in PAN-OS 10.0, packet buffer protection based
on packet buffer utilization is enabled by default on all firewalls
globally and for each zone.
As an alternative to packet buffer
protection based on utilization, you can now trigger packet buffer protection based
on packet latency caused by dataplane packet buffering, which
indicates congestion on the firewall. Such packet buffer protection
alerts you to the congestion and performs random early drop (RED)
on packets. Packet buffer protection based on latency can trigger
the protection before latency-sensitive protocols or applications
are affected.
If your traffic includes protocols or applications
that are latency-sensitive, then packet buffer protection based
on latency will be more helpful than packet buffer protection based
on buffer utilization.
- Select .
- Edit the Session Settings section and enable Packet Buffer Protection.
- Enable Buffering Latency Based.
- Enter the Latency Alert (milliseconds) threshold above which the firewall starts generating an Alert log event every minute; range is 1 to 20,000; default is 50.
- Enter the Latency Activate (milliseconds) threshold above which the firewall activates random early drop (RED) on incoming packets and starts generating an Activate log every 10 seconds; range is 1 to 20,000ms; default is 200ms.
- Enter the Latency Max Tolerate (milliseconds) threshold
above which the firewall uses RED with close to 100% drop probability;
range is 1 to 20,000ms; default is 500ms.
![]()
- Configure the Block Hold Time and Block Duration as for Packet Buffer Protection based on utilization.
- Click OK.
- Commit.
