How to identify the packet buffer misconfiguration
26447
Created On 03/20/20 21:25 PM - Last Modified 03/20/24 14:20 PM
Symptom
- Threat logs are showing flooding event with threat ID 8507
- Threat logs don't show any matching security policy.
- The packets are dropping in one zone or all zones.
Environment
- Any PAN-OS.
- Palo Alto Firewall.
- Packet Buffer Protection configured.
Cause
The configured activation rate on the packet buffer is too low. Or the packet buffer attack is in process.
Resolution
Troubleshooting steps
-
Check the global PBP (Packet Buffer Protection) configuration at Device > Setup >Session Settings for the activation and Alert rate. Move the activation rate higher if the activation rate is very low, or lower than the "Alert rate".
-
The default activation rate is 50%, however, it can move higher up to 60% or 70%.
-
Check the zone level PBP configuration is enabled at zone level GUI: Network >Zones
-
Check the zone level DoS protection for TCP, UDP and ICMP protocol and check activation and alarm rate. Sometimes, the activation rate is set to zero with SYN cookies. This will force the Firewall to send SYN cookie for all TCP sessions.
-
Identify what is the current buffer rate and which session is causing the issue.
- From the CLI issue the following command, and check for packet buffer (average) and packet buffer (maximum) and compare the average value to "global configured value" at Device > Setup >Session Settings.
show running resource-monitor
- Identify the Top session and maximum buffer. Here is the CLI command and more information can be found here
show running resource-monitor ingress-backlogs
- From the CLI issue the following command, and check for packet buffer (average) and packet buffer (maximum) and compare the average value to "global configured value" at Device > Setup >Session Settings.