https://live.paloaltonetworks.com/t5/general-topics/dos-protection-logs/m-p/50005#M36798 <HTML><HEAD></HEAD><BODY><P>If you have a DoS policy setup with both an aggregate and a classified DoS profile to protect a webserver and you see flood logs in the Threat Tab.. is it possible to tell whether or not the flood matched on the aggregate or the classifed DoS profile while splitting those into two separate DoS policies?</P></BODY></HTML> Thu, 14 Aug 2014 18:40:05 GMT SDorsey 2014-08-14T18:40:05Z https://live.paloaltonetworks.com/t5/general-topics/dos-protection-logs/m-p/50005#M36798 <HTML><HEAD></HEAD><BODY><P>If you have a DoS policy setup with both an aggregate and a classified DoS profile to protect a webserver and you see flood logs in the Threat Tab.. is it possible to tell whether or not the flood matched on the aggregate or the classifed DoS profile while splitting those into two separate DoS policies?</P></BODY></HTML> Thu, 14 Aug 2014 18:40:05 GMT https://live.paloaltonetworks.com/t5/general-topics/dos-protection-logs/m-p/50005#M36798 SDorsey 2014-08-14T18:40:05Z https://live.paloaltonetworks.com/t5/general-topics/dos-protection-logs/m-p/50006#M36799 <HTML><HEAD></HEAD><BODY><P>Mackwage,</P><P></P><P>Threat logs for Flood will show the attacker IP address if generated by the Classified policy/rule and will show 0.0.0.0 as the attacker IP address if generated by an Aggregate policy/rule.</P><P></P><P>Phil</P></BODY></HTML> Sat, 16 Aug 2014 23:42:53 GMT https://live.paloaltonetworks.com/t5/general-topics/dos-protection-logs/m-p/50006#M36799 HITSSEC 2014-08-16T23:42:53Z