PAN-OS 8.1.2 Introduces New Log Options

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Cyber Elite
Cyber Elite

Historically, some malformed or irregular packets that were discarded by a zone protection profile or built in protection (like LAND attacks) would only increment a global counter to indicate an action was taken. This made troubleshooting such occurrences, or logging for auditing and compliancy, a little more tedious.

 

Starting from PAN-OS 8.1.2 new threat logs were introduced that will appear each time such packets are discarded:

 

  • Fragmented IP packets
  • IP address spoofing
  • ICMP packets larger than 1024 bytes
  • Packets containing ICMP fragments
  • ICMP packets embedded with an error message
  • First packets for a TCP session that are not SYN packets

ip drop.pngtcp drop.pngicmp drop.png

 

Threat logs will also be generated on the following events (which don’t require Packet-Based Attack Protection):

  • Teardrop attack
  • DoS attack using ping of death

 

To enable the additional logging, run this operational command:

> set system setting additional-threat-log on 

 

You can find the release notes here: PAN-OS 8.1 Release Information

 

 

Stay frosty

Reaper

12 Comments
L0 Member

So I am on 8.1.2 and I am not seeing anything in my threat logs relating to my ZPP. And I am having an issue with the ZPP dropping my traffic due to IP spoofing. 

 

Also having a hard time finding the note related to this in the release notes.

Cyber Elite
Cyber Elite

hi @RenoRLaskey

 

It may be easier to open the pdf and visit page 19: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/81/pan-os/...

or take a look at the admin guide: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/zone-protection-and-dos-protection/c...

 

Reviewing the admin guide it appears I left out an important tidbit: enabling the option (apologies for the confusion)

 

Use the operational CLI command set system setting additional-threat-log on

 

 

 

 

L7 Applicator

... finally 😉

L0 Member

sweet

L2 Linker

Hi,

 

Can anyone tell me PAN OS 8.1.2 is recommending for production environment?

 

Thanks,

Kavinda

Cyber Elite
Cyber Elite

hi @Lakshitha

 

The 8.1 code train is still a bit 'young' to enjoy a recommended status overall, but if you do need to be on 8.1 (if you have one of the new platforms that only support 8.1 or require one of the new features) it is recommended to use PAN-OS 8.1.2

L2 Linker

Hi

 

As i know clientless VPN also new to the palo alto. How about the clientless VPN on 8.1.2 ? recommendations to production environment.?

 

Thanks

Cyber Elite
Cyber Elite

Hi @Lakshitha

Clientless VPN was already introduced in PAN-OS 8.0

Please take a look at the admin guide here : GlobalProtect Clientless VPN

L2 Linker

Hi,

 

Thanks for the reply. No i wanted to know the stability of the clientless VPN.  Becouse it introduced with (PANOS 8.0).  We were waiting almost 1 year for clientless vpn. Plz advice us.

 

Thanks,

Lakshitha.

Cyber Elite
Cyber Elite

Hi @Lakshitha

 

You can ask such questions in the general discussion area

There will likely be several users who have implemented Clientless VPN and can advise you

L2 Linker

Hi,

 

Is this feature recommended as a troubleshooting/debug tool only, or is it safe to enable during "normal" operation?  Depends on the environment? 

Cyber Elite
Cyber Elite

Hi @ice-quake 

 

You can safely enable it, but it gets noisy real quick as it will catch a lot of internet garbage

This can clutter reporting and the ACC

  • 49393 Views
  • 12 comments
  • 7 Likes
Register or Sign-in
Labels