https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273625#M75057 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>&nbsp;,</P><P>Its hard to say what it would have dne in the past. Threat prevent may catch it, but its further into the inspection process so it uses more CPU. Zone and DoS protection are your best options here, I think.</P><P>&nbsp;</P><P>Regards,</P> Thu, 27 Jun 2019 18:09:57 GMT OtakarKlier 2019-06-27T18:09:57Z https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273186#M75003 <P>I have recently been dealing with&nbsp;sip invite method request flood attempt show up not only in my threatsm but also making it impossible to make calls external or external to internal calls because its trying to call a number every 4 seconds and taking all my SIP connections available. Besides blocking it on the firewall and having the ISP deadroute the called or called number is there anything else I should do?</P> Wed, 26 Jun 2019 16:19:38 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273186#M75003 jdprovine 2019-06-26T16:19:38Z https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273194#M75005 <P>Hello,</P><P>I would setup Zone and DoS protection profiles.</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices.html" target="_blank">https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices.html</A></P><P>&nbsp;</P><P>Regards,</P> Wed, 26 Jun 2019 17:12:43 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273194#M75005 OtakarKlier 2019-06-26T17:12:43Z https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273207#M75012 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>A DoS Protection Policy as mentioned by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;is probably the best solution to go for something like this, but will involve a fair bit of tuning to get everything to play nice.&nbsp;</P> Wed, 26 Jun 2019 18:26:09 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273207#M75012 BPry 2019-06-26T18:26:09Z https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273624#M75056 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;</P><P>At the least I can block it through the threat prevention, but I don't know how it works, and it appears to started back when they put in the sip trunks last June. Shouldn't it be causing issues all the time with the phones?</P> Thu, 27 Jun 2019 18:04:47 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273624#M75056 jdprovine 2019-06-27T18:04:47Z https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273625#M75057 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>&nbsp;,</P><P>Its hard to say what it would have dne in the past. Threat prevent may catch it, but its further into the inspection process so it uses more CPU. Zone and DoS protection are your best options here, I think.</P><P>&nbsp;</P><P>Regards,</P> Thu, 27 Jun 2019 18:09:57 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273625#M75057 OtakarKlier 2019-06-27T18:09:57Z https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273691#M75071 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>It probably has simply got to a point where the additonal load caused by this flood, and actual line of business calls, have forced you to cross your CCP limit imposed on the trunk. As long as you didn't cross your CCP limit you likely would have never thought to look at the logs to notice the issue in the first place.&nbsp;</P> Thu, 27 Jun 2019 21:27:27 GMT https://live.paloaltonetworks.com/t5/general-topics/sip-invite-method-request-flood-attempt/m-p/273691#M75071 BPry 2019-06-27T21:27:27Z