https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/ta-p/1232249 <DIV class="lia-message-template-content-zone"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_Flood-Attacks_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68119iF7CF3517CA9A5BCC/image-size/large?v=v2&amp;px=999" role="button" title="Title_Flood-Attacks_palo-alto-networks.jpg" alt="Title_Flood-Attacks_palo-alto-networks.jpg" /></span></P> <P>&nbsp;</P> <P><FONT size="2" color="#333333"><STRONG><EM>&nbsp;Written by&nbsp;Alex Laulhe. With special thanks to&nbsp;Anupam S. &amp; Amogh G. for their contributions.</EM></STRONG></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>This&nbsp;guide is designed to help firewall admins effectively </SPAN><STRONG>understand</STRONG> <STRONG>flood attack prevention</STRONG><SPAN> and </SPAN><STRONG>troubleshoot</STRONG> <STRONG>flooding incidents</STRONG><SPAN> detected by Palo Alto Networks firewalls. Whether the event is triggered by </SPAN><STRONG><I>packet</I></STRONG> <STRONG><I>buffer protection (PBP)</I></STRONG><STRONG>, </STRONG><STRONG><I>Zone Protection (ZPP)</I></STRONG><STRONG>, or </STRONG><STRONG><I>DoS protection profiles (DoSP)</I></STRONG><SPAN>, this document provides guidance on how to identify the type of flood, determine the root cause, and take corrective &amp; preventive actions through “</SPAN><I><SPAN>Best Practices”.&nbsp;</SPAN></I></P> <P>&nbsp;</P> <P><FONT color="#FF0000"><I><SPAN>N.B: Please note that this document is a collection of best practices and knowledge from our PAN Community. It does not replace our official guides.</SPAN></I></FONT><SPAN><BR /></SPAN></P> <P><FONT color="#000000"><I><SPAN>_________________________________________________________________________________________________</SPAN></I></FONT></P> <P>&nbsp;</P> <P><FONT color="#000000"><STRONG>Part 1 - </STRONG><SPAN>&nbsp;Understanding Flood Prevention and Best Practices</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT color="#000000"><STRONG>Part 2 -</STRONG><SPAN> Troubleshooting Flood Attacks: Workflow &amp; CLI Commands!</SPAN></FONT></P> <P><FONT color="#000000"><I><SPAN>_________________________________________________________________________________________________</SPAN></I></FONT></P> <P>&nbsp;</P> <H1><FONT color="#FF6600"><STRONG>Part 1 - Understanding Flood Attack Prevention on NGFWs&nbsp;</STRONG></FONT></H1> <P>&nbsp;</P> <P><SPAN>Flood attacks aim to overwhelm network resources by sending large volumes of traffic, typically to exhaust bandwidth or system processing capacity. Palo Alto Networks Next-Generation Firewalls (NGFWs) provide multiple layers of protection to detect and prevent these attacks, including:</SPAN></P> <P>&nbsp;</P> <OL class="lia-list-style-type-upper-alpha"> <LI style="font-weight: 400;" aria-level="1"><SPAN>​​</SPAN><STRONG>Zone Protection Profiles (ZPP)</STRONG><SPAN>: First line of defense, applied at the ingress interface to protect entire zones.​</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>DoS Protection Policies (DoSP)</STRONG><SPAN>: Second layer, applied </SPAN><SPAN>after session creation </SPAN><SPAN>to protect specific resources.​</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Packet Buffer Protection (PBP)</STRONG><SPAN>: Final layer, monitors and protects the firewall's internal resources during </SPAN><SPAN>active sessions.</SPAN></LI> </OL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <H2><FONT color="#000000"><STRONG>A. Zone Protection Profiles (ZPP)</STRONG></FONT></H2> <P>&nbsp;</P> <P><STRONG>Purpose</STRONG><SPAN>: Zone Protection Profiles are defensive mechanisms applied at the zone level (not individual rules) to protect against network floods, reconnaissance, and protocol-based attacks </SPAN><STRONG>before</STRONG> <STRONG>a session is even established.</STRONG><STRONG><BR /><BR /></STRONG></P> <H3><STRONG>Good to know:</STRONG></H3> <P><STRONG>Zone protection</STRONG><SPAN> will be enforced </SPAN><STRONG>before</STRONG> <STRONG>DoS policy</STRONG> <STRONG>lookup</STRONG> <SPAN>IF</SPAN><SPAN> an IP happens to be present in both the profiles:</SPAN><SPAN><BR /><BR /></SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>It can be used as a template configuration for applying similar settings to multiple zones.&nbsp;</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>These settings apply to the ingress zone (i.e. the zone where traffic enters the firewall).&nbsp;</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Zone protection settings apply to all interfaces within the zone for which the profile is configured.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>It applies to all traffic passing through the zone and it’s not based per source, destination or source-destination (Aggregate)</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 1_Flood-Attacks_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68114i5F7FBA9032999AD9/image-size/large?v=v2&amp;px=999" role="button" title="Fig 1_Flood-Attacks_palo-alto-networks.jpg" alt="Fig 1_Flood-Attacks_palo-alto-networks.jpg" /></span></SPAN></P> <H3><STRONG>Key Protection Mechanisms:</STRONG></H3> <OL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Flood Protection</STRONG><SPAN>: Mitigates high-volume traffic attacks such as SYN, ICMP, and UDP floods by setting thresholds to detect and drop excessive packets.​</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Reconnaissance Protection</STRONG><SPAN>: Detects and blocks scanning activities like TCP/UDP port scans and host sweeps, which are often precursors to more targeted attacks.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Packet-Based Attack Protection</STRONG><SPAN>: Identifies and discards malformed or malicious packets that could exploit vulnerabilities in network protocols.​</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Non-IP Protocol Protection</STRONG><SPAN>: Controls traffic using non-IP protocols, preventing potential abuse of less common communication methods.​</SPAN></LI> </OL> <P>&nbsp;</P> <H3><STRONG>Best Practices</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Configure Flood Protection</STRONG><SPAN> under</SPAN><I><SPAN> Network &gt; Network Profiles &gt; Zone Protection &gt; Zone Protection Profile &gt; Flood Protection</SPAN></I><SPAN> and </SPAN><STRONG>apply it to the ingress zone of the traffic flood.</STRONG><STRONG><BR /><BR /></STRONG></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Tailored Profiles</STRONG><SPAN>: Customize Zone Protection Profiles based on the specific needs and typical traffic patterns of each zone (</SPAN><A href="https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices" target="_blank" rel="noopener"><SPAN>follow best practices</SPAN></A><SPAN>)</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Monitoring and Adjustment</STRONG><SPAN>: Regularly monitor the effectiveness of protection mechanisms and adjust thresholds as necessary to balance security and performance.​</SPAN><SPAN><BR /></SPAN></LI> </UL> <P>&nbsp;</P> <UL> <LI aria-level="1"><STRONG>Complementary Measures</STRONG><SPAN>: In addition to Zone Protection, implement DoS Protection profiles, PBP and Security Profiles to provide layered defense strategies.​</SPAN><STRONG><BR /></STRONG><STRONG><BR /></STRONG><STRONG>References&nbsp; </STRONG><SPAN>:</SPAN><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/zone-protection-and-dos-protection" target="_blank" rel="noopener"><SPAN> Zone Protection Profiles</SPAN></A><SPAN>&nbsp; &amp;&nbsp; </SPAN><A href="https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices" target="_blank" rel="noopener"><SPAN>Best Practices</SPAN></A></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <H2><FONT color="#000000"><STRONG>B. DoS Protection Policies (DoSP)</STRONG></FONT></H2> <P>&nbsp;</P> <P><STRONG>Purpose</STRONG><SPAN>: </SPAN><SPAN>DoS Protection Profiles are policies that </SPAN><STRONG>protect specific targets</STRONG><SPAN> (like critical servers or services - i.e. policies can be configured to match zone, interface, IP address or user information as match conditions) from Denial of Service (DoS) attacks. Unlike Zone Protection Profiles (which protect at the </SPAN><I><SPAN>zone level</SPAN></I><SPAN>), DoS profiles focus on more granular control and operating </SPAN><STRONG>after a session is established.</STRONG><STRONG><BR /><BR /></STRONG></P> <H3><STRONG>Key Components:</STRONG></H3> <P><STRONG>DoS Protection Profile</STRONG><SPAN>: Defines </SPAN><STRONG>how</STRONG><SPAN> to detect and mitigate attacks (thresholds, actions, flood types). It's a reusable set of settings.</SPAN></P> <P>&nbsp;</P> <P><STRONG>DoS Rule</STRONG><SPAN>: Defines </SPAN><STRONG>where</STRONG><SPAN> and </SPAN><STRONG>to whom</STRONG><SPAN> the profile applies (zones, IPs, interfaces). It matches traffic and applies a specific DoS profile.</SPAN></P> <BR /> <P><STRONG>How It Works</STRONG><SPAN>:</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Configured under </SPAN><STRONG>Objects &gt; DoS Protection</STRONG><SPAN> and </SPAN><STRONG>Policies &gt; DoS Protection</STRONG><SPAN>.It is applied through </SPAN><STRONG>DoS Policies</STRONG><SPAN>, which match traffic using criteria like: </SPAN><I><SPAN>Source IP / Destination IP / Destination Zone / Service.</SPAN></I><I><SPAN><BR /><BR /></SPAN></I></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>It is evaluated </SPAN><STRONG>after security policy</STRONG><SPAN> allows traffic.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>There is an additional lookup involved in the process. DoS rules are applied </SPAN><STRONG>before</STRONG><SPAN> security policy lookup, but </SPAN><SPAN>after</SPAN><SPAN> destination Zone determination.</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>Protection modes:</STRONG></P> <OL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Aggregate</STRONG><SPAN> – Controls the total rate of connections to a destination (e.g., to a public web server).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Classified</STRONG><SPAN> – Controls rate </SPAN><STRONG>per source IP</STRONG><SPAN>, </SPAN><STRONG>per destination IP</STRONG><SPAN>, or </SPAN><STRONG>per source-destination pair</STRONG><SPAN> (useful for blocking distributed or targeted attacks).</SPAN></LI> </OL> <P>&nbsp;</P> <P><STRONG>Each profile includes:</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Alarm Rate</STRONG><SPAN> – When to log the activity.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Activate Rate</STRONG><SPAN> – When mitigation begins.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Maximum Rate</STRONG><SPAN> – When the firewall drops all new connections.</SPAN><SPAN><BR /><BR /></SPAN></LI> </UL> <P><SPAN><STRONG>These are measured in:</STRONG></SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Connections per second (CPS)</STRONG><SPAN> for TCP/UDP/ICMP flood protection.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Packets per second (PPS)</STRONG><SPAN> for packet-based attacks.</SPAN></LI> </UL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 2_Flood-Attacks_palo-alto-networks.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68115i494F06505240CC46/image-size/large?v=v2&amp;px=999" role="button" title="Fig 2_Flood-Attacks_palo-alto-networks.jpg" alt="Fig 2_Flood-Attacks_palo-alto-networks.jpg" /></span></SPAN></P> <DIV id="tinyMceEditoremgarcia_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><LI-WRAPPER></LI-WRAPPER></P> <H3><STRONG>Best Practices</STRONG><SPAN>:</SPAN></H3> <P><SPAN>Although DoS Policy runs </SPAN><SPAN>after</SPAN><SPAN> Zone Protection, the thresholds should be configured aiming to activate the </SPAN><STRONG>DoS Rule before Zone Protection – so you can benefit from offloading the attacker IP to the HW Block List.&nbsp;</STRONG></P> <P>&nbsp;</P> <H3><STRONG>Always start with a Baseline</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Monitor </SPAN><STRONG>normal traffic</STRONG><SPAN> (CPS/PPS) to critical systems before applying limits.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Use ACC or logging to analyze patterns and peak usage.</SPAN></LI> </UL> <P>&nbsp;</P> <H3><STRONG>Use Both Aggregate and Classified Profiles</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Aggregate</STRONG><SPAN> to protect servers from total overload.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Classified</STRONG><SPAN> to stop single or multiple sources from flooding.</SPAN><SPAN><BR /><BR /></SPAN></LI> </UL> <H3><STRONG>Apply Only to Untrusted Zones or Critical Resources</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>DoS policies are resource-intensive; apply them only where needed (e.g., public-facing services like web/mail servers).</SPAN></LI> </UL> <P>&nbsp;</P> <H3><STRONG>We Recommend to Use SYN Cookies or RED Mechanisms</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Enable </SPAN><STRONG>SYN cookies</STRONG><SPAN> to handle TCP floods.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Use </SPAN><STRONG>Random Early Drop (RED)</STRONG><SPAN> to reduce the chance of false positives.</SPAN><SPAN><BR /><BR /></SPAN></LI> </UL> <H3><STRONG>Tune Thresholds Carefully</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Set thresholds </SPAN><STRONG>above your normal peak traffic</STRONG><SPAN>, but low enough to catch attacks early.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Start in </SPAN><STRONG>"monitor" mode</STRONG><SPAN>, then move to </SPAN><STRONG>"block" mode</STRONG><SPAN> once confident.</SPAN><SPAN><BR /><BR /></SPAN></LI> </UL> <H3><STRONG>Log and Alert</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Consider </SPAN><STRONG>log drops and alerts</STRONG><SPAN> to help refine your tuning.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Consider forwarding logs to SIEM for correlation –&nbsp; or better </SPAN><A href="https://www.paloaltonetworks.com/cyberpedia/what-is-extended-security-intelligence-and-automation-management-xsiam" target="_blank" rel="noopener"><SPAN>to XSIAM!</SPAN></A></LI> </UL> <P><STRONG><BR /></STRONG><STRONG>References</STRONG><SPAN>:</SPAN><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/zone-protection-and-dos-protection/dos-protection-profiles" target="_blank" rel="noopener"><SPAN> DoS Protection</SPAN></A> <SPAN>&amp; </SPAN><A href="https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices" target="_blank" rel="noopener"><SPAN>Best practices</SPAN></A></P> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <H2><FONT color="#000000"><STRONG>C. Packet Buffer Protection (PBP)</STRONG></FONT></H2> <P>&nbsp;</P> <H3><STRONG>Overview: What is Packet Buffer Protection?</STRONG></H3> <P><SPAN>Packet Buffer Protection (PBP) is a defense mechanism designed to safeguard the NGFWs against </SPAN><STRONG>single-session</STRONG><SPAN> Denial-of-Service (DoS) attacks that can overwhelm the firewall's packet buffer, leading to legitimate traffic being dropped. Unlike Zone Protection or DoS Protection policies that primarily focus on new sessions, </SPAN><STRONG>PBP targets existing sessions</STRONG><SPAN> and </SPAN><STRONG>operates both globally and at the zone level.</STRONG><SPAN>​</SPAN></P> <P>&nbsp;</P> <H3><STRONG>Key Components:</STRONG></H3> <P><STRONG>1. Global Packet Buffer Protection</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Function</STRONG><SPAN>: Monitors overall packet buffer utilization across all zones.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Mechanism</STRONG><SPAN>: When utilization reaches a configured "Activate" threshold, the firewall employs Random Early Drop (RED) to probabilistically drop packets from sessions consuming excessive buffer resources.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Configuration</STRONG><SPAN>: Set under </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/configure-zone-protection-to-increase-network-security/configure-packet-buffer-protection" target="_blank" rel="noopener"><I><SPAN>Device &gt; Setup &gt; Session Settings</SPAN></I></A><SPAN>.</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG>2. Per-Zone Packet Buffer Protection</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Function</STRONG><SPAN>: Adds a secondary layer of protection by monitoring buffer utilization within specific zones.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Mechanism</STRONG><SPAN>: If RED is triggered globally and the offending session persists beyond a configured "Block Hold Time," the firewall can block the entire session or the source IP address for a defined "Block Duration."</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Configuration</STRONG><SPAN>: Enabled under </SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection?utm_source=chatgpt.com" target="_blank" rel="noopener"><I><SPAN>Network &gt; Zones</SPAN></I><SPAN><BR /><BR /></SPAN></A></LI> </UL> <H3><STRONG>Two (2) Types of Packet Buffer Protection</STRONG></H3> <P><STRONG>A. Based on “Buffer Utilization”</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Triggers protection mechanisms when packet buffer usage exceeds certain thresholds.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Key Settings</STRONG><SPAN>:</SPAN><SPAN><BR /></SPAN></LI> <UL> <LI style="font-weight: 400;" aria-level="2"><STRONG>Alert (%)</STRONG><SPAN>: Threshold to generate alert logs (default: 50%).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Activate (%)</STRONG><SPAN>: Threshold to initiate RED (default: 80%).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Block Hold Time (sec)</STRONG><SPAN>: Duration before blocking an offending session (default: 60 seconds).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Block Duration (sec)</STRONG><SPAN>: Time to block the session or IP (default: 3600 seconds.</SPAN><SPAN><BR /><BR /></SPAN></LI> </UL> </UL> <P><STRONG>B. Based on Latency (since PANOS 10)</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Activates protection based on packet latency, which can indicate congestion even before buffer utilization thresholds are met.</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN>Such packet buffer protection mitigates head-of-line blocking by alerting you to the congestion and performing random early drop (RED) on packets. Packet buffer protection based on latency can trigger the protection before latency-sensitive protocols or applications are affected.</SPAN><SPAN><BR /><BR /></SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Key Settings</STRONG><SPAN>:</SPAN><SPAN><BR /></SPAN></LI> <UL> <LI style="font-weight: 400;" aria-level="2"><STRONG>Latency Alert (ms)</STRONG><SPAN>: Threshold to generate alert logs (default: 50ms).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Latency Activate (ms)</STRONG><SPAN>: Threshold to initiate RED (default: 200ms).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Latency Max Tolerate (ms)</STRONG><SPAN>: Threshold where RED drops nearly all packets (default: 500ms).​</SPAN><SPAN><BR /><BR /></SPAN></LI> </UL> </UL> <H3><STRONG>Best Practices For PBP:</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Configuration</STRONG><SPAN>: We recommend enabling </SPAN><SPAN>both</SPAN><SPAN> PBP “per-zone” and also PBP “globally” (</SPAN><SPAN>Globally under </SPAN><I><SPAN>“Device &gt; Setup&gt; Session Settings </SPAN></I><STRONG><I>and</I></STRONG><I><SPAN> per zone under “Network &gt; Zones</SPAN></I><SPAN>” </SPAN><SPAN>)</SPAN><STRONG><BR /><BR /></STRONG></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Baseline Monitoring</STRONG><SPAN>: Regularly monitor packet buffer utilization to establish normal operating thresholds.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Threshold Tuning</STRONG><SPAN>: Adjust Alert and Activate thresholds based on observed traffic patterns.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>NAT Considerations</STRONG><SPAN>: Be cautious when applying IP-based blocking in environments using NAT, as multiple users might share the same IP address</SPAN><SPAN><BR /><BR /></SPAN></LI> </UL> <P><STRONG>References</STRONG><SPAN>:</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>&nbsp;</SPAN><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/zone-protection-and-dos-protection/packet-buffer-protection" target="_self">Packet Buffer Protection</A><SPAN>&nbsp;&nbsp;</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>&nbsp;</SPAN><A href="https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices" target="_blank" rel="noopener"><SPAN>Best Practices</SPAN></A></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <H1><FONT color="#FF6600"><STRONG>Part 2 - Troubleshooting Flood Attacks</STRONG></FONT></H1> <BR /> <P><SPAN>This second part focuses on providing a </SPAN><STRONG>high-level workflow</STRONG><SPAN> that an NGFW Admin can use to troubleshoot Flood Attacks&nbsp; – and at the end, a list of </SPAN><STRONG>valuable CLI Commands</STRONG><SPAN> that they can refer to find the root cause and mitigate the impact.</SPAN></P> <BR /> <H3><STRONG>A - “7-Step” Flood Attack Troubleshooting Workflow:</STRONG></H3> <P><SPAN>This workflow is a living document, feel free to add extra steps!</SPAN></P> <P>&nbsp;</P> <P><STRONG>1. Identify Symptoms:</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Like High CPU usage, elevated session counts, or unusual traffic spikes.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Increased latency or degraded application performance.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Dropped connections or connection resets.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Alerts from Panorama, SNMP monitoring tools, or Strata Cloud Manager.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>End users reporting intermittent access or denial of service, etc.</SPAN><SPAN><BR /><BR /></SPAN></LI> </UL> <P><STRONG>2. Check Counters and Logs (CLI &amp; GUI)</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Start setting up basic capture filters: run </SPAN><I><SPAN>"</SPAN></I><STRONG><I>show counter global filter delta yes | match drop</I></STRONG><I><SPAN>"</SPAN></I><SPAN> to see what's causing packets to be drop; It should look like this:</SPAN></LI> </UL> <BR /> <P><SPAN>name &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; value &nbsp; &nbsp; rate severity&nbsp; category&nbsp; aspect&nbsp; &nbsp; description</SPAN></P> <P><SPAN>-----------------------------------------------------------------------------------</SPAN></P> <P><SPAN>flow_dos_red_tcp &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; 0 drop&nbsp; &nbsp; &nbsp; flow&nbsp; &nbsp; &nbsp; dos &nbsp; &nbsp; &nbsp; Packets dropped: Zone protection protocol 'tcp-syn' RED</SPAN></P> <P><SPAN>flow_dos_rule_drop &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; 0 drop&nbsp; &nbsp; &nbsp; flow&nbsp; &nbsp; &nbsp; dos &nbsp; &nbsp; &nbsp; Packets dropped: Rate limited or IP blocked</SPAN></P> <P><SPAN>flow_dos_rule_drop_aggr&nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; 0 drop&nbsp; &nbsp; &nbsp; flow&nbsp; &nbsp; &nbsp; dos &nbsp; &nbsp; &nbsp; Packets dropped: due to aggregate rate limiting</SPAN></P> <P><SPAN>flow_dos_rule_ag_red_act &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; 0 drop&nbsp; &nbsp; &nbsp; flow&nbsp; &nbsp; &nbsp; dos &nbsp; &nbsp; &nbsp; Packets dropped: Activate aggregate RED threshold reached, random early drop</SPAN></P> <P><SPAN>flow_dos_rule_match&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1&nbsp; &nbsp; &nbsp; &nbsp; 0 info&nbsp; &nbsp; &nbsp; flow&nbsp; &nbsp; &nbsp; dos &nbsp; &nbsp; &nbsp; Packets matched DoS policy</SPAN></P> <BR /> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>On GUI: Monitor &gt; Logs &gt; Threat</STRONG><SPAN> → filter: </SPAN><SPAN>(subtype eq flood)</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Review type (ZPP, DoS, PBP), action (drop, reset, block)</SPAN></LI> </UL> <BR /> <P><STRONG>3. Validate Zone Protection (ZPP) configuration</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>GUI</STRONG><SPAN>: Network &gt; Zones &gt; Zone Protection Profile</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>CLI</STRONG><SPAN>:</SPAN></LI> </UL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 3_Flood-Attacks_palo-alto-networks.jpg" style="width: 620px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68116i3457DE06CE8813DD/image-dimensions/620x180?v=v2" width="620" height="180" role="button" title="Fig 3_Flood-Attacks_palo-alto-networks.jpg" alt="Fig 3_Flood-Attacks_palo-alto-networks.jpg" /></span></SPAN></P> <H4><STRONG>4. Validate DoS Protection (DoSP)</STRONG></H4> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>GUI</STRONG><SPAN>: Policies &gt; DoS Protection &amp; Objects &gt; DoS Protection Profiles</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>CLI</STRONG><SPAN>:</SPAN></LI> </UL> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 4_Flood-Attacks_palo-alto-networks.jpg" style="width: 621px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68117i0DDBD538AD3E0225/image-dimensions/621x178?v=v2" width="621" height="178" role="button" title="Fig 4_Flood-Attacks_palo-alto-networks.jpg" alt="Fig 4_Flood-Attacks_palo-alto-networks.jpg" /></span><BR /> <H4><STRONG>5. Validate Packet Buffer Protection (PBP)</STRONG></H4> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>CLI</STRONG><SPAN>:</SPAN></LI> </UL> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 5_Flood-Attacks_palo-alto-networks.jpg" style="width: 621px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68118i0F9AA7DEB7C26C73/image-dimensions/621x205?v=v2" width="621" height="205" role="button" title="Fig 5_Flood-Attacks_palo-alto-networks.jpg" alt="Fig 5_Flood-Attacks_palo-alto-networks.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P><STRONG><I>TIP: </I></STRONG><I><SPAN>&nbsp;Customers can enable PBP in </SPAN></I><STRONG><I>monitor Mode</I></STRONG><I><SPAN>; the FW won’t drop any traffic or block offenders but only monitors the traffic and figuring out aggressive sessions / sources.&nbsp;</SPAN></I></P> <BR /> <P><I><SPAN>i.e. No action is taken, only logging the offender in the “Threat logs” with the action “Alert” instead of “Drop” or “Block”.</SPAN></I></P> <BR /> <H4><STRONG>6. Identify Sources:</STRONG></H4> <P><SPAN>Pinpointing Source IPs in Flood Attacks can be challenging, for many reasons:</SPAN></P> <BR /> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Flood attacks may originate from </SPAN><STRONG>thousands of IPs simultaneously</STRONG><SPAN> (botnets).</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Many flood attacks (e.g. </SPAN><STRONG>UDP or ICMP floods</STRONG><SPAN>) are </SPAN><STRONG>stateless</STRONG><SPAN>, meaning no session is established.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Since Palo Alto firewalls log most data at the </SPAN><STRONG>session level</STRONG><SPAN>, </SPAN><STRONG>non-session traffic often bypasses visibility</STRONG><SPAN> unless Zone Protection or custom packet captures are configured (No session = no log = hard to trace back).</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>​​If </SPAN><STRONG>logging is not enabled</STRONG><SPAN> for flood detection (in ZPP or DoS Profiles), or if </SPAN><STRONG>packet captures</STRONG><SPAN> aren’t set up, there may simply be </SPAN><STRONG>no data</STRONG><SPAN> to analyze.</SPAN></LI> </UL> <BR /> <P><U><FONT color="#FF0000"><STRONG>If logs still don’t show source IP:</STRONG></FONT></U></P> <P>&nbsp;</P> <P><STRONG>A - Try Spotting “ Traffic Anomalies” with Panorama ACC</STRONG> <SPAN>(or another traffic monitoring tool)</SPAN></P> <P><SPAN>Widgets like "</SPAN><I><SPAN>Top Applications</SPAN></I><SPAN>," "T</SPAN><I><SPAN>op Source IPs,</SPAN></I><SPAN>" and "</SPAN><I><SPAN>Top Sessions</SPAN></I><SPAN>" can highlight sudden spikes in traffic:</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>A flood attack might show up as:</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>One or more IPs with </SPAN><STRONG>abnormally high session counts</STRONG></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>High volumes of </SPAN><STRONG>UDP, ICMP, or unknown traffic</STRONG></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Traffic to/from a target resource that’s much higher than baseline</SPAN></LI> </UL> <BR /> <P><STRONG>B - Perform Packet Captures</STRONG><SPAN>:</SPAN></P> <P><SPAN>​​Packet captures are extremely powerful for diagnosing network issues — but in the context of flood attacks, they’re often used as a last resort – for example when </SPAN><STRONG>Logs are</STRONG> <STRONG>inconclusive</STRONG><SPAN> or don’t show source IPs or when you suspect </SPAN><STRONG>internal traffic</STRONG><SPAN> or </SPAN><STRONG>east-west floods</STRONG><SPAN>.</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Use basic filters or run unfiltered captures for ~30s to sample traffic</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Then, try to identify patterns in flood traffic or sources</SPAN></LI> </UL> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures" target="_blank" rel="noopener"><SPAN>How to Take Packet Captures</SPAN></A></P> </DIV> <DIV class="lia-message-template-content-zone">&nbsp;</DIV> <H4 class="lia-message-template-content-zone"><STRONG>7. Stopping the Flood:</STRONG></H4> <P class="lia-message-template-content-zone"><STRONG>As an immediate response</STRONG><SPAN>: once the Source IP/IPs of the Flood have been flagged, apply a </SPAN><STRONG>Security Policy Rule</STRONG><SPAN> to block it.</SPAN></P> <P class="lia-message-template-content-zone">&nbsp;</P> <P class="lia-message-template-content-zone"><STRONG>Longer term preventative actions:</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Review ZPP, DoSP &amp; PBP profiles and configurations</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Review thresholds, best practices and keep monitoring</SPAN></LI> </UL> <P>&nbsp;</P> <H3 class="lia-message-template-content-zone"><STRONG>B - Useful commands </STRONG><STRONG>during time of Issue&nbsp;</STRONG></H3> <P class="lia-message-template-content-zone"><LI-WRAPPER>&nbsp;</LI-WRAPPER></P> <H4><STRONG>1.&nbsp;Useful Global Counters</STRONG></H4> <P><FONT face="courier new,courier" color="#008000"><STRONG>flow_dos_pbp_drop</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>What it Tracks</STRONG><SPAN>: Increments </SPAN><STRONG>for each packet</STRONG><SPAN> dropped by </SPAN><STRONG>Random Early Drop (RED)</STRONG><SPAN> due to </SPAN><STRONG>Packet Buffer Protection</STRONG><SPAN>.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use Case</STRONG><SPAN>: Indicates </SPAN><STRONG>RED-based PBP is active</STRONG><SPAN> and throttling sessions based on buffer thresholds.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Interpretation</STRONG><SPAN>: A high value here means the system is under buffer stress, and RED is actively dropping aggressive session traffic.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P class="lia-message-template-content-zone"><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P class="lia-message-template-content-zone"><BR /><STRONG>&nbsp;</STRONG><FONT face="courier new,courier" color="#008000"><STRONG>flow_dos_pbp_block_session</STRONG></FONT> <STRONG><I>(PAN-OS 10.0+ only)</I></STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>What it Tracks</STRONG><SPAN>: Increments </SPAN><STRONG>once per session</STRONG><SPAN> that is </SPAN><STRONG>terminated and blocked</STRONG><SPAN> by PBP.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use Case</STRONG><SPAN>: Tracks </SPAN><STRONG>escalated action</STRONG><SPAN> where a session exceeded thresholds even after RED, triggering a session block.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Interpretation</STRONG><SPAN>: Reflects </SPAN><STRONG>next-tier PBP mitigation</STRONG><SPAN> beyond simple packet drops.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT face="courier new,courier" color="#008000"><STRONG>flow_dos_pbp_block_host</STRONG></FONT> <STRONG><I>(PAN-OS 10.0+ only)</I></STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>What it Tracks</STRONG><SPAN>: Increments </SPAN><STRONG>once per host</STRONG><SPAN> (source IP) that gets </SPAN><STRONG>placed in the block list</STRONG><SPAN> due to sustained buffer abuse.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use Case</STRONG><SPAN>: Useful for identifying </SPAN><STRONG>aggressive clients or attackers</STRONG><SPAN> being temporarily banned.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Interpretation</STRONG><SPAN>: You’re seeing enforcement of </SPAN><STRONG>block duration</STRONG><SPAN> per host at the PBP level.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P class="lia-message-template-content-zone"><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN><BR /><STRONG>&nbsp;</STRONG></P> <P class="lia-message-template-content-zone"><FONT face="courier new,courier" color="#008000"><STRONG>flow_dos_drop_ip_blocked</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>What it Tracks</STRONG><SPAN>: Increments </SPAN><STRONG>for each packet</STRONG><SPAN> dropped from </SPAN><STRONG>an IP that is currently blocked</STRONG><SPAN> (due to Zone Protection, DoS Policies, or PBP).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use Case</STRONG><SPAN>: Captures </SPAN><STRONG>ongoing traffic</STRONG><SPAN> from IPs that have been blocked.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Interpretation</STRONG><SPAN>: High values may indicate an </SPAN><STRONG>attacker persisting</STRONG><SPAN> even after block rules kicked in.</SPAN></LI> </UL> <H4 class="lia-message-template-content-zone"><BR /><BR /><STRONG>2. Zone Protection (ZPP) Commands:</STRONG></H4> <P><FONT color="#008000"><STRONG>&gt; show zone-protection zone &lt;zone-name&gt;</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Displays the </SPAN><STRONG>Zone Protection Profile</STRONG><SPAN> applied to a specific zone.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Verify which protections (flood, reconnaissance, packet-based) are active for a given zone.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; show counter global filter severity drop reason zone-protection</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Displays </SPAN><STRONG>global drop counters</STRONG><SPAN> specific to Zone Protection activity.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Monitor packet drops caused by flood thresholds, port scans, malformed packets, etc.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P class="lia-message-template-content-zone"><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P class="lia-message-template-content-zone">&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; show zone-protection flood stats zone &lt;zone-name&gt;</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Provides detailed statistics for </SPAN><STRONG>flood protection</STRONG><SPAN> (SYN, ICMP, UDP) on a zone.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Identify flood patterns or confirm flood protection is being triggered.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; show zone-protection scan stats zone &lt;zone-name&gt;</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Displays statistics for </SPAN><STRONG>reconnaissance protection</STRONG><SPAN> (e.g., port scans, host sweeps).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Monitor scanning activity and confirm Zone Protection is catching it.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; show zone-protection packet-stats zone &lt;zone-name&gt;</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Displays statistics for </SPAN><STRONG>packet-based attack protection</STRONG><SPAN>, such as malformed TCP headers or IP spoofing.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Investigate dropped traffic due to protocol anomalies or attack signatures.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; debug dataplane packet-diag set log feature zone-protection on</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Enables verbose logging of packets dropped due to Zone Protection.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Advanced debugging when you need packet-level visibility for drops.</SPAN></LI> </UL> <P class="lia-message-template-content-zone">&nbsp;</P> <H4 class="lia-message-template-content-zone"><BR /><STRONG>3. DOS Protection (DoSP) Commands:</STRONG></H4> <P><FONT color="#008000"><STRONG>&gt; show dos-block-table all</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Shows all current </SPAN><STRONG>DoS blocked entries</STRONG><SPAN> (both software and hardware-enforced).</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Identify which IPs or sessions are currently being blocked due to DoS thresholds.</SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; show dos-block-table software</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Filters to show only </SPAN><STRONG>software-enforced blocks</STRONG><SPAN>.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: See which blocks are handled by software (vs. hardware offload).</SPAN></LI> </UL> <P class="lia-message-template-content-zone"><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P class="lia-message-template-content-zone">&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; show dos-block-table hardware</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Filters to show only </SPAN><STRONG>hardware-enforced blocks</STRONG><SPAN>.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Monitor hardware-accelerated DoS protection (on supported platforms)</SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; debug dataplane show dos block-table</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Displays detailed, low-level view of the current DoS block table.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Deep dive into what’s blocked, by what rule, and for how long.</SPAN></LI> </UL> <P class="lia-message-template-content-zone"><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P class="lia-message-template-content-zone">&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; debug dataplane reset dos block-table</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: </SPAN><STRONG>Manually clears</STRONG><SPAN> all entries from the DoS block table.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Useful in lab testing or to quickly reset protections after a false positive.</SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; clear dos-protection zone &lt;zone&gt; blocked all</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Clears all currently blocked IPs or sessions in a specific zone.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Reset per-zone DoS blocks without touching the global block table.</SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; clear dos-block-table-all</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Clears </SPAN><STRONG>all entries</STRONG><SPAN> from both software and hardware DoS block tables.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Emergency cleanup — removes all DoS-enforced blocks.</SPAN></LI> </UL> <H4 class="lia-message-template-content-zone">&nbsp;</H4> <H4 class="lia-message-template-content-zone"><BR /><STRONG>4. Packet Buffer Protection (PBP) Commands:</STRONG></H4> <P><FONT color="#008000"><STRONG>&gt; show session packet-buffer-protection</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Displays </SPAN><STRONG>current sessions being tracked</STRONG><SPAN> by Packet Buffer Protection.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: See which sessions are considered aggressive or are causing buffer stress.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; show session packet-buffer-protection buffer-latency</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Shows </SPAN><STRONG>latency measurements</STRONG><SPAN> associated with packet buffers.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Helps understand if latency thresholds are being exceeded (indicates potential congestion).</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; show running resource-monitor ingress-backlogs</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Provides statistics on </SPAN><STRONG>ingress queue backlog</STRONG><SPAN> in the firewall’s packet processing pipeline.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: Useful to diagnose performance bottlenecks or delays at the ingress interface.</SPAN><SPAN><BR /></SPAN></LI> </UL> <P><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P>&nbsp;</P> <P><FONT color="#008000"><STRONG>&gt; debug dataplane pow performance</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Displays </SPAN><STRONG>performance metrics</STRONG><SPAN> for packet processing in the dataplane.</SPAN><SPAN><BR /><BR /></SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Use case</STRONG><SPAN>: General performance debugging — includes metrics related to buffer usage and session load.</SPAN></LI> </UL> <P class="lia-message-template-content-zone"><SPAN><FONT color="#000000"><I>_________________________________________________________________________________________________</I></FONT></SPAN></P> <P class="lia-message-template-content-zone"><BR /><FONT color="#008000"><STRONG>&gt; debug dataplane pow performance | match pbp</STRONG></FONT></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Purpose</STRONG><SPAN>: Filters output of the previous command to show </SPAN><STRONG>only Packet Buffer Protection-specific stats</STRONG><SPAN>.</SPAN></LI> </UL> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN><STRONG style="font-family: inherit;">Use case</STRONG><SPAN>: Focus on PBP-specific performance metrics for troubleshooting.</SPAN></SPAN></LI> </UL> <P>&nbsp;</P> Thu, 03 Jul 2025 06:12:18 GMT emgarcia 2025-07-03T06:12:18Z https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/ta-p/1232249 <P><SPAN>This&nbsp;guide is designed to help firewall admins effectively </SPAN><STRONG>understand</STRONG> <STRONG>flood attack prevention</STRONG><SPAN> and </SPAN><STRONG>troubleshoot</STRONG> <STRONG>flooding incidents</STRONG><SPAN> detected by Palo Alto Networks firewalls. Whether the event is triggered by </SPAN><STRONG><I>packet</I></STRONG> <STRONG><I>buffer protection (PBP)</I></STRONG><STRONG>, </STRONG><STRONG><I>Zone Protection (ZPP)</I></STRONG><STRONG>, or </STRONG><STRONG><I>DoS protection profiles (DoSP)</I></STRONG><SPAN>, this document provides guidance on how to identify the type of flood, determine the root cause, and take corrective &amp; preventive actions through “</SPAN><I><SPAN>Best Practices”.&nbsp;</SPAN></I></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_Flood-Attacks_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68121iE08D90C377DFBF28/image-size/large?v=v2&amp;px=999" role="button" title="Title_Flood-Attacks_palo-alto-networks.jpg" alt="Title_Flood-Attacks_palo-alto-networks.jpg" /></span></P> Thu, 03 Jul 2025 06:12:18 GMT https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/ta-p/1232249 emgarcia 2025-07-03T06:12:18Z https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/tac-p/1232698#M19 <DIV id="55326b9b1ab22310" class="conversation-container message-actions-hover-boundary ng-star-inserted"> <DIV class="response-container ng-tns-c2788162521-16 response-container-with-gpi ng-star-inserted"> <DIV class="presented-response-container ng-tns-c2788162521-16"> <DIV class="response-container-content ng-tns-c2788162521-16"> <DIV class="response-content ng-tns-c2788162521-16"> <DIV id="model-response-message-contentr_55326b9b1ab22310" class="markdown markdown-main-panel tutor-markdown-rendering enable-updated-hr-color" dir="ltr"> <P>This guide on flood attack prevention and troubleshooting for Palo Alto Networks firewalls is a lifesaver! The way it breaks down Zone Protection, DoS Protection, and Packet Buffer Protection, along with those invaluable troubleshooting steps and CLI commands, makes understanding and tackling these attacks so much more manageable. Seriously, this is a must-read for any firewall admin.</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV id="ec6cda64bd598bdd" class="conversation-container message-actions-hover-boundary ng-star-inserted"> <DIV class="user-query-container user-query-bubble-container ng-star-inserted"> <DIV id="user-query-content-1" class="query-content ng-star-inserted"> <DIV class="query-text gds-body-l collapsed" dir="ltr" role="heading" aria-level="2"> <P class="query-text-line ng-star-inserted">&nbsp;</P> </DIV> </DIV> </DIV> </DIV> Thu, 26 Jun 2025 18:02:03 GMT https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/tac-p/1232698#M19 jforsythe 2025-06-26T18:02:03Z https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/tac-p/1232738#M20 <P>This article is awesome !</P> <P>&nbsp;</P> <P>Those troubleshooting steps and commands are&nbsp;super helpful.</P> Fri, 27 Jun 2025 08:01:38 GMT https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/tac-p/1232738#M20 kiwi 2025-06-27T08:01:38Z https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/tac-p/1236150#M23 <P>This is great article</P> Mon, 18 Aug 2025 08:32:02 GMT https://live.paloaltonetworks.com/t5/support-faq/support-faq-flood-attacks-configuration-amp-troubleshooting-best/tac-p/1236150#M23 Vinod_Ola 2025-08-18T08:32:02Z