https://live.paloaltonetworks.com/t5/general-topics/incomplete-and-ddos-drops/m-p/76951#M42471 <P>Hi</P> <P>The following report shows incomplete</P> <P>Database: Traffic Log<BR />Columns: Source Zone, Source Address, Source Port, Destination Zone, Destination Address, Destination Port,<BR />Application, Bytes<BR />Query Builder: (app eq incomplete) and (port.dst leq 1023)</P> <P>but the " show counter global filter category flow aspect dos " <BR />does not give any indication of drops</P> <P>&nbsp;</P> <TABLE width="1228"> <TBODY> <TR> <TD width="324">name</TD> <TD width="64">value</TD> <TD width="64">rate</TD> <TD width="64">severity</TD> <TD width="64">category</TD> <TD width="64">aspect</TD> <TD width="77">description</TD> <TD width="64">&nbsp;</TD> <TD width="443">&nbsp;</TD> </TR> <TR> <TD>flow_dos_red_tcp</TD> <TD>1143291</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Zone protection protocol 'tcp-syn' RED</TD> </TR> <TR> <TD>flow_dos_pf_ipfrag</TD> <TD>60010</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Zone protection option 'discard-ip-frag'</TD> </TR> <TR> <TD>flow_dos_pf_icmplpkt</TD> <TD>1100</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Zone protection option 'discard-icmp-large-packet'</TD> </TR> <TR> <TD>flow_dos_pf_tcpoverlappingmismatch</TD> <TD>21198</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Zone protection option 'discard-overlapping-tcp-segment-mismatch'</TD> </TR> <TR> <TD>flow_dos_zone_red_max</TD> <TD>446965</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Maximal zone RED threshold reached</TD> </TR> <TR> <TD>flow_dos_zone_red_act</TD> <TD>696326</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Activate zone RED threshold reached, random early drop</TD> </TR> <TR> <TD>flow_dos_rule_drop</TD> <TD>412022</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Rate limited or IP blocked</TD> </TR> <TR> <TD>flow_dos_rule_drop_classified</TD> <TD>412022</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>due to classified rate limiting</TD> </TR> <TR> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><BR />So how can i co-relate ?</P> <P>Thanks</P> <P>&nbsp;</P> Sun, 24 Apr 2016 09:59:27 GMT sib2017 2016-04-24T09:59:27Z https://live.paloaltonetworks.com/t5/general-topics/incomplete-and-ddos-drops/m-p/76951#M42471 <P>Hi</P> <P>The following report shows incomplete</P> <P>Database: Traffic Log<BR />Columns: Source Zone, Source Address, Source Port, Destination Zone, Destination Address, Destination Port,<BR />Application, Bytes<BR />Query Builder: (app eq incomplete) and (port.dst leq 1023)</P> <P>but the " show counter global filter category flow aspect dos " <BR />does not give any indication of drops</P> <P>&nbsp;</P> <TABLE width="1228"> <TBODY> <TR> <TD width="324">name</TD> <TD width="64">value</TD> <TD width="64">rate</TD> <TD width="64">severity</TD> <TD width="64">category</TD> <TD width="64">aspect</TD> <TD width="77">description</TD> <TD width="64">&nbsp;</TD> <TD width="443">&nbsp;</TD> </TR> <TR> <TD>flow_dos_red_tcp</TD> <TD>1143291</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Zone protection protocol 'tcp-syn' RED</TD> </TR> <TR> <TD>flow_dos_pf_ipfrag</TD> <TD>60010</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Zone protection option 'discard-ip-frag'</TD> </TR> <TR> <TD>flow_dos_pf_icmplpkt</TD> <TD>1100</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Zone protection option 'discard-icmp-large-packet'</TD> </TR> <TR> <TD>flow_dos_pf_tcpoverlappingmismatch</TD> <TD>21198</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Zone protection option 'discard-overlapping-tcp-segment-mismatch'</TD> </TR> <TR> <TD>flow_dos_zone_red_max</TD> <TD>446965</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Maximal zone RED threshold reached</TD> </TR> <TR> <TD>flow_dos_zone_red_act</TD> <TD>696326</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Activate zone RED threshold reached, random early drop</TD> </TR> <TR> <TD>flow_dos_rule_drop</TD> <TD>412022</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>Rate limited or IP blocked</TD> </TR> <TR> <TD>flow_dos_rule_drop_classified</TD> <TD>412022</TD> <TD>0</TD> <TD>drop</TD> <TD>flow</TD> <TD>dos</TD> <TD>Packets</TD> <TD>dropped:</TD> <TD>due to classified rate limiting</TD> </TR> <TR> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> <TD>&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><BR />So how can i co-relate ?</P> <P>Thanks</P> <P>&nbsp;</P> Sun, 24 Apr 2016 09:59:27 GMT https://live.paloaltonetworks.com/t5/general-topics/incomplete-and-ddos-drops/m-p/76951#M42471 sib2017 2016-04-24T09:59:27Z https://live.paloaltonetworks.com/t5/general-topics/incomplete-and-ddos-drops/m-p/77110#M42530 <P>Incomplete does not mean that your firewall dropped it.</P> <P>For example if you try to connect to website and this website is down then client PC in your network will send SYN packet.</P> <P>As website is down then no SYN-ACK will follow and TCP 3-way handshake is incomplete.</P> <P>That will be logged as application.</P> <P>&nbsp;</P> <P>If you open session then most likely you see "1 packet sent, 0 packet received"</P> Wed, 27 Apr 2016 11:37:37 GMT https://live.paloaltonetworks.com/t5/general-topics/incomplete-and-ddos-drops/m-p/77110#M42530 Raido_Rattameister 2016-04-27T11:37:37Z