Tips & Tricks: Packet Buffer Protection (PBP)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member
No ratings

Packet-Buffer-Protection-PANW.jpg

 

To protect your firewall and network against single-source denial of service (DoS) attacks that can wreak havoc on your packet buffer and disrupt your legitimate traffic, Palo Alto Networks firewalls have a feature called Packet Buffer Protection (PBP).

 

This feature was introduced way back in PAN-OS 8.0 but was disabled by default at the time. Starting from PAN-OS 10.0, PBP is enabled by default, globally and on each zone. As a best practice make sure you've got PBP activated both globally and within each zone. It serves as an extra layer of protection against DoS attacks, aggressive sessions, and unruly sources that could otherwise wreak havoc on your firewall's buffers. It spots those troublesome sessions, and uses Random Early Drop (RED) as the first line of defense. And it doesn't stop there – if the abuse persists, it's quick to take action, either by booting out the problematic session or giving the unruly IP address a timeout. When your firewall notices a flurry of small sessions or rapid session creation, especially from a particular IP address, it knows when it's time to slam the gate shut on that address.

 

In short, it's not just a feature – it's your firewall's bodyguard. Keep PBP turned on, and you'll keep your network safe and sound.

 

PBP works with thresholds so it's recommended to start by establishing baseline measurements of the firewall's packet buffer usage. This will help you recognize any significant spikes in buffer usage, making it clear that the only time you should see such spikes is during an actual attack.  You can also start with the default threshold values and adjust as necessary.

 

You can find this option on the Device tab > Setup > Session > Session Settings

 

Figure 1_Packet-Buffer-Protection_palo-alto-networks.png

 

Alternatively, you have the option to activate Latency Based Activation, which responds to CPU processing latency, giving you a set of different thresholds to configure:

 

Figure 2_Packet-Buffer-Protection_palo-alto-networks.png

 

 

It's important to note that PBP isn't part of the Zone Protection profile or a DoS Protection profile or policy rule. Instead, it operates autonomously, pinpointing troublesome traffic by monitoring buffer utilization, the very resource it's designed to protect. You have the flexibility to manually set the threshold at which RED kicks in to start dropping packets for the offending session. In many cases, RED can do a fantastic job of keeping your buffers in good shape by only dropping specific problematic traffic. When active sessions threaten to deplete the buffer, the firewall's first response is typically to discard the session, rather than blocking the host. However, in the case of non-existing sessions, blocking becomes the sole option.

 

The cherry on top is that configuring PBP is much simpler compared to setting up DoS policies as there are fewer threshold values to manage. Additionally, you can fine-tune the hold-down timer and specify the duration for which a host should be blocked, giving you added control and flexibility in managing your firewall's security.

 

For more information on how to Enable Packet Buffer Protection, please review the following article: Packet Buffer Protection

 

Feel free to share your questions, comments and ideas in the section below.

 

Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.

 

Kiwi out!

Rate this article:
(1)
Comments
L0 Member

Hi, thank you for this article. 

I have two points I would like to clarify:

1. "Latency Based Activation, which responds to CPU processing latency"

2."in the case of non-existing sessions, blocking becomes the sole option"

 

We apply PBP but the malicious sessions are never blocked, only dropped(even with the block countdown lower than the activate threshold). Also the CPU is increasing before the PBP is triggered and reaches 100% when the activate is passed. 

 

So why malicious sessions are not blocked? I think your point 2 is not correct, because it is the flood protection applied to the zone responsible to Block new sessions and not the PBP(which is working with existing sessions).

For point 1, does this mean that "Latency Based Activation" can help to detect an increase in the CPU and trigger PBP? 

 

Thank you in advance. 

 

Kind regards

 

L0 Member

I agree to  above comment. it ends up blocking legitimate IP addresses we have seen. 

moreover what is highly unclear is - from where the PBP capacity value comes from? its not there in datasheet either. Also, documentation says - it prevent against single session DoS attacks, but then we dont see a configurable value or a monitoring value for threshold for each session. 

Also, PBP relation with zone policies is also not clear. 

  • 10183 Views
  • 2 comments
  • 6 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎10-18-2023 08:37 AM
Updated by: