How to Implement Resource Protection using a DOS Profile

How to Implement Resource Protection using a DOS Profile

18330
Created On 09/25/18 17:39 PM - Last Modified 06/12/23 20:43 PM


Resolution


To protect resources using a DOS profile:

  1. Create a DOS profile and under resource protection, set the maximum concurrent list for sessions.
  2. Create a DOS rule under policies for specific source and destination with the above dos profile

 

Useful commands for troubleshooting:

> show counter global filter | match dos

flow_dos_curr_sess_incr_failed             2        0 drop      flow      dos       Unable to increment current session count on session create

flow_dos_cl_curr_sess_add_incr             2        0 info      flow      dos       Incremented classified current session count on session create

flow_dos_cl_max_sess_limit                 2        0 drop      flow      dos       Session limit reached for classified profile, drop session

 

To see the count of dropped packets as well as other details:

> show dos-protection rule DOS-Rule statistics

Rule:DOS-Rule, idx:0, id:3

  Aggregate profile:

  Classified profile:DOS-RscProtect

  Classification Criteria:Source-IP Destination-IP

  Action:protect

Classified profile:DOS-RscProtect

 

  sessions:

    current:        0      sessions dropped:6

-------------------------------------------------------------------------------

 

owner: ssunku
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHDCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language