topic Re: Why I see no logs for DoS policies in General Topics

Why I see no logs for DoS policies

raji_toor — Thu, 25 Feb 2021 16:19:05 GMT

I am testing DoS policies and have alarm rate set as 1. I did not intend to be that low but I was not seeing logs under monitor for a server that is continuously used. There are flood logs from Zone Protection and they use a different log forwarding profile for easy differentiation.

DOS policy

Aggregate and classified profiles used in policy

Re: Why I see no logs for DoS policies

jdelio — Thu, 25 Feb 2021 19:11:22 GMT

Here is some information that may help..

Global Counters for DoS Activity Monitoring
To supplement the Threat event logs for Zone and DoS protection, the following CLI commands can provide additional
information in the form of global counters and session count information to help identify DoS activity.
>show counter global name ? Lists all global counters
>show counter global filter aspect dos List all global counters with active DoS aspect values

Counter Aspects
PAN-OS allows filtering of the Global Counters by category, aspect, and severity to make it easy to pull the relevant
counters for review. Counters of interest that are related to Zone and DoS protection include:
Category: Flow Aspect: dos
Category: Flow Aspect: parse
Category: Flow Aspect: ipfrag

Example of CLI command to extract Flow counters with a DoS aspect:
>show counter global filter category flow aspect dos

Re: Why I see no logs for DoS policies

raji_toor — Thu, 25 Feb 2021 19:54:40 GMT

@jdelio I checked and as you can see below on setting the filter to that IP i can see Syn cookies are sent. But why does it not show in logs is my problem. I know its not much but its still higher than alarm rate of 1 and should show in threat logs as cookie sent.

---------------------------------------------

debug dataplane packet-diag set filter match destination X.X.X.X

debug dataplane packet-diag set filter on

---------------------------------------------

show counter global filter delta yes packet-filter yes aspect dos

Global counters:
Elapsed time since last sampling: 7.374 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_dos_syncookie_cookie_sent 16 1 info flow dos TCP SYN cookies: cookies sent, aggregate profile/zone
flow_dos_syncookie_ack_rcv 25 1 info flow dos TCP SYN cookies: ACKs to cookies received, aggregate profile/zone
flow_dos_cl_syncookie_ack_rcv 4 0 info flow dos TCP SYN cookies: ACKs to cookies received, classified profile
flow_dos_rule_allow_under_rate 78 6 info flow dos Packets allowed: Rate within thresholds of DoS policy
flow_dos_rule_match 78 6 info flow dos Packets matched DoS policy
flow_dos_ag_curr_sess_add_incr 12 0 info flow dos Incremented aggregate current session count on session create
flow_dos_cl_curr_sess_add_incr 12 0 info flow dos Incremented classified current session count on session create

Re: Why I see no logs for DoS policies

raji_toor — Thu, 22 Apr 2021 18:14:26 GMT

Both Zone Protection and DoS policies cannot have TCP-SYN enabled at the same time, Resolved while troubleshooting with support.