How to mitigate High DP CPU issue due to an increase in flow of traffic denied at slowpath stage by a security policy

• Palo Alto Firewall
• DP CPU
• Security Policy with action deny
• Flow slowpath

1. Identify the source of the traffic experiencing an increase in its session being denied:
   1. Check the traffic logs: Monitor > Logs > Traffic and use the search filter ( action eq deny).
      1. In case your search comes up empty that means that you most likely need to enable the logging on the security policy that is denying the traffic. This security policy can possibly be the interzone-default that you need to override to enable the Log at Session End and/or Start.
   2. Check the ACC tab: ACC and use the action deny filter.
      1. 
2. Determine the eligibility of the denied traffic:
   1. If the traffic is eligible and shouldn't have been denied by the FW:
      1. Create a security policy for this traffic that has action allow or alert and apply the proper security profile to it.
   2. If the traffic is not eligible:
      1. Attempt to stop the traffic at its source or closer to its source.
      2. Otherwise, use DOS protection policy to protect the firewall against this offending traffic.
         1. If the offender IP(s) is/are known, then create a DOS protection policy: POLICIES > DoS Protection you need to be able to define the source and destination zones and IPs as well as service port so you can set the action to Deny without affecting other eligible traffic.
         2. If the offender IP is unknown and port service is unknown, but its determined that it has one source of traffic coming from defined zone and going to defined destinations, then create a DOS protection policy with Classified option enabled, action set to Protect and attach a DOS protection profile to it.

In the example shown above the Address is set to source-ip-only the other valid option would be to set it to src-dest-ip-both for more details on why those two options are the only one valid in this case refer to High on-chip descriptor and packet buffer usage due to policy deny resulting in traffic latency and drops (Mitigation step 4). As for which Flood Protection to enable and configure under the DOS Protection Profile that would be based on your findings in step 1 if for example the traffic denied is a UDP traffic then enable the UDP Flood. 

3. If the offenders are unknown and it is found that multiple sources are triggering the denied traffic, then create a DOS protection policy with Aggregate option enabled, action set to Protect and attach a DOS protection profile to it. Your findings in step 1 will determine which Flood Protection to enable and configure under the DOS Protection Profile for example the traffic denied is a UDP traffic then enable the UDP Flood. 

3. As best practice and in order to protect the firewall's resources it is always recommended to enable packet buffer protection globally under Device > Setup > Session Settings and per zone under Network > Zones.

For more information on the behavior of the firewall and its impact when high DP processing activity is caused by an increase in flow of traffic denied by a security policy refer to: High on-chip descriptor and packet buffer usage due to policy deny resulting in traffic latency and drops.
For more details on Packet Flow Sequence and slowpath stage refer to Packet Flow Sequence in PAN-OS .