- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
on 10-11-2023 12:14 PM - edited on 10-18-2023 08:37 AM by jforsythe
To protect your firewall and network against single-source denial of service (DoS) attacks that can wreak havoc on your packet buffer and disrupt your legitimate traffic, Palo Alto Networks firewalls have a feature called Packet Buffer Protection (PBP).
This feature was introduced way back in PAN-OS 8.0 but was disabled by default at the time. Starting from PAN-OS 10.0, PBP is enabled by default, globally and on each zone. As a best practice make sure you've got PBP activated both globally and within each zone. It serves as an extra layer of protection against DoS attacks, aggressive sessions, and unruly sources that could otherwise wreak havoc on your firewall's buffers. It spots those troublesome sessions, and uses Random Early Drop (RED) as the first line of defense. And it doesn't stop there – if the abuse persists, it's quick to take action, either by booting out the problematic session or giving the unruly IP address a timeout. When your firewall notices a flurry of small sessions or rapid session creation, especially from a particular IP address, it knows when it's time to slam the gate shut on that address.
In short, it's not just a feature – it's your firewall's bodyguard. Keep PBP turned on, and you'll keep your network safe and sound.
PBP works with thresholds so it's recommended to start by establishing baseline measurements of the firewall's packet buffer usage. This will help you recognize any significant spikes in buffer usage, making it clear that the only time you should see such spikes is during an actual attack. You can also start with the default threshold values and adjust as necessary.
You can find this option on the Device tab > Setup > Session > Session Settings
Alternatively, you have the option to activate Latency Based Activation, which responds to CPU processing latency, giving you a set of different thresholds to configure:
It's important to note that PBP isn't part of the Zone Protection profile or a DoS Protection profile or policy rule. Instead, it operates autonomously, pinpointing troublesome traffic by monitoring buffer utilization, the very resource it's designed to protect. You have the flexibility to manually set the threshold at which RED kicks in to start dropping packets for the offending session. In many cases, RED can do a fantastic job of keeping your buffers in good shape by only dropping specific problematic traffic. When active sessions threaten to deplete the buffer, the firewall's first response is typically to discard the session, rather than blocking the host. However, in the case of non-existing sessions, blocking becomes the sole option.
The cherry on top is that configuring PBP is much simpler compared to setting up DoS policies as there are fewer threshold values to manage. Additionally, you can fine-tune the hold-down timer and specify the duration for which a host should be blocked, giving you added control and flexibility in managing your firewall's security.
For more information on how to Enable Packet Buffer Protection, please review the following article: Packet Buffer Protection
Feel free to share your questions, comments and ideas in the section below.
Thank you for taking time to read this blog.
Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.
Kiwi out!
Hi, thank you for this article.
I have two points I would like to clarify:
1. "Latency Based Activation, which responds to CPU processing latency"
2."in the case of non-existing sessions, blocking becomes the sole option"
We apply PBP but the malicious sessions are never blocked, only dropped(even with the block countdown lower than the activate threshold). Also the CPU is increasing before the PBP is triggered and reaches 100% when the activate is passed.
So why malicious sessions are not blocked? I think your point 2 is not correct, because it is the flood protection applied to the zone responsible to Block new sessions and not the PBP(which is working with existing sessions).
For point 1, does this mean that "Latency Based Activation" can help to detect an increase in the CPU and trigger PBP?
Thank you in advance.
Kind regards
I agree to above comment. it ends up blocking legitimate IP addresses we have seen.
moreover what is highly unclear is - from where the PBP capacity value comes from? its not there in datasheet either. Also, documentation says - it prevent against single session DoS attacks, but then we dont see a configurable value or a monitoring value for threshold for each session.
Also, PBP relation with zone policies is also not clear.