PAN-OS 8.1.2 introduces new log options

Community Manager

Historically some malformed or irregular packets that were discarded by a zone protection profile or built in protection (like LAND attacks) would only increment a global counter to indicate an action was taken. This made troubleshooting such occurences, or logging for auditing and compliancy, a little more tedious.


Starting from PAN-OS 8.1.2 new Threat logs were introduced that will appear each time such packets are discarded


  • Fragmented IP packets
  • IP address spoofing
  • ICMP packets larger than 1024 bytes
  • Packets containing ICMP fragments
  • ICMP packets embedded with an error message
  • First packets for a TCP session that are not SYN packets

ip drop.pngtcp drop.pngicmp drop.png


Threat logs will also be generated on the following events (which don’t require Packet-Based Attack Protection):

  • Teardrop attack
  • DoS attack using ping of death

To enable the additional logging, run this operational command:

> set system setting additional-threat-log on 


You can find the release notes here: PAN-OS 8.1 Release Information



Stay frosty


L0 Member

So I am on 8.1.2 and I am not seeing anything in my threat logs relating to my ZPP. And I am having an issue with the ZPP dropping my traffic due to IP spoofing. 


Also having a hard time finding the note related to this in the release notes.

Community Manager

hi @RenoRLaskey


It may be easier to open the pdf and visit page 19:

or take a look at the admin guide:


Reviewing the admin guide it appears I left out an important tidbit: enabling the option (apologies for the confusion)


Use the operational CLI command set system setting additional-threat-log on





L7 Applicator

... finally ;)

L0 Member


L2 Linker



Can anyone tell me PAN OS 8.1.2 is recommending for production environment?




Community Manager

hi @Lakshitha


The 8.1 code train is still a bit 'young' to enjoy a recommended status overall, but if you do need to be on 8.1 (if you have one of the new platforms that only support 8.1 or require one of the new features) it is recommended to use PAN-OS 8.1.2

L2 Linker



As i know clientless VPN also new to the palo alto. How about the clientless VPN on 8.1.2 ? recommendations to production environment.?



Community Manager

Hi @Lakshitha

Clientless VPN was already introduced in PAN-OS 8.0

Please take a look at the admin guide here : GlobalProtect Clientless VPN

L2 Linker



Thanks for the reply. No i wanted to know the stability of the clientless VPN.  Becouse it introduced with (PANOS 8.0).  We were waiting almost 1 year for clientless vpn. Plz advice us.




Community Manager

Hi @Lakshitha


You can ask such questions in the general discussion area

There will likely be several users who have implemented Clientless VPN and can advise you

Ask Questions Get Answers Join the Live Community