Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
What effect does Packet Buffer Protection have if it is enabled... - Knowledge Base - Palo Alto Networks

What effect does Packet Buffer Protection have if it is enabled globally but not enabled on Zones?

54140
Created On 04/23/20 00:07 AM - Last Modified 06/01/23 16:31 PM


Symptom


Symptom:
  • "PBP Packet Drop" threat logs are observed for traffic in Zones without Packet Buffer Protection enabled.

Condition:
  • Packet Buffer Protection (PBP) is enabled globally under: [ Device > Setup > Session > Session Settings > Packet Buffer Protection ]
  • Packet Buffer Protection is not enabled on the Zone, or not enabled on any Zones


 


Environment


  • PAN-OS 8.0
  • PAN-OS 8.1
  • PAN-OS 9.0
  • PAN-OS 9.1


Cause


This is working as expected.

Whenever Packet Buffer Protection is enabled globally, it will protect sessions abusing the Packet Buffers by executing RED (Drops). This will result in triggering:
  • Threat ID: 8507 / Threat type: Flood / Threat name: PBP Packet Drop

When Packet Buffer Protection is then enabled per-zone, the protection is extended to add Discard/Block actions, triggering:
  • Threat ID: 8508 / Threat type: Flood / Threat name: PBP Session Discarded
  • Threat ID: 8509 / Threat type: Flood / Threat name: PBP IP Blocked

A quick reference to understand the differences between these actions:
  • RED = randomly dropping traffic belonging to offending session or offending host
  • Discard = Set offending session state to Discard (only if there is a session depleting resources)
  • Block = Block the source IP (usually for slow-path resource depletion - no active session present)


Resolution


If global Packet Buffer Protection is causing unwanted drops, increase the activate threshold to a higher value (i.e. 80%) or disable global Packet Buffer Protection (not recommended).

Additional Information


PA-5200 Series have a mapping issue (ref. PAN-119914 resolved in PAN-OS 10.0.0) that will cause Global Packet Buffer Protection to write incorrect Threat log entries as "PBP Session Discarded", when in reality is executing a "PBP Packet Drop". This issue is only affecting the way in which the firewall reports its action, but not its carried out action.

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPlKCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language