What effect does Packet Buffer Protection have if it is enabled globally but not enabled on Zones?
54140
Created On 04/23/20 00:07 AM - Last Modified 06/01/23 16:31 PM
Symptom
Symptom:
- "PBP Packet Drop" threat logs are observed for traffic in Zones without Packet Buffer Protection enabled.
Condition:
- Packet Buffer Protection (PBP) is enabled globally under: [ Device > Setup > Session > Session Settings > Packet Buffer Protection ]
- Packet Buffer Protection is not enabled on the Zone, or not enabled on any Zones
Environment
- PAN-OS 8.0
- PAN-OS 8.1
- PAN-OS 9.0
- PAN-OS 9.1
Cause
This is working as expected.
Whenever Packet Buffer Protection is enabled globally, it will protect sessions abusing the Packet Buffers by executing RED (Drops). This will result in triggering:
- Threat ID: 8507 / Threat type: Flood / Threat name: PBP Packet Drop
When Packet Buffer Protection is then enabled per-zone, the protection is extended to add Discard/Block actions, triggering:
- Threat ID: 8508 / Threat type: Flood / Threat name: PBP Session Discarded
- Threat ID: 8509 / Threat type: Flood / Threat name: PBP IP Blocked
A quick reference to understand the differences between these actions:
- RED = randomly dropping traffic belonging to offending session or offending host
- Discard = Set offending session state to Discard (only if there is a session depleting resources)
- Block = Block the source IP (usually for slow-path resource depletion - no active session present)
Resolution
If global Packet Buffer Protection is causing unwanted drops, increase the activate threshold to a higher value (i.e. 80%) or disable global Packet Buffer Protection (not recommended).
Additional Information
PA-5200 Series have a mapping issue (ref. PAN-119914 resolved in PAN-OS 10.0.0) that will cause Global Packet Buffer Protection to write incorrect Threat log entries as "PBP Session Discarded", when in reality is executing a "PBP Packet Drop". This issue is only affecting the way in which the firewall reports its action, but not its carried out action.