All incoming TCP connections blocked for 5 minutes at random times.

Do you have source address exclusions under Reconnaissance Protection?  You may want to include highly trusted items on your allow list there, such as internal DNS forwarders if you have them.

We don't have this problem with UDP which is what DNS uses.

DNS does use UDP, but can also use TCP over port 53 as well.  Any way if you have site-to-site vpn or something similar, you may want some exclusions to Dos / Zone protections policies.

Thanks @fhewiufhwefhwe but the problem we are facing is that when the TCP outage occurs our thousands of user who are scattered across the Internet world are not able to reach our websites or mail servers.  We don't want the firewall to block the whole Internet.

I should also point out if the subject is not clear that the problem is only with incoming TCP traffic.  Outgoing traffic is not affected.

Have you tried increasing the thresholds under SYN Flood Protection then?  How high is your firewall on resource utilization?  I'm wondering if you might be able to use SYN Cookies instead of Random Early Drop action?   Note that I have not tried this myself.

I'm also thinking that you might want to setup SNMP monitoring the DoS counters on the firewall.  I recently tried to configure this, but have not had success yet.

This article might help.  I've been meaning to read it myself and figure out how to setup snmp monitoring for DoS.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOKCA0

I have increased the threshold from 100 to 500 under Reconnaissance per your suggestion.  Will see if that makes a difference.

I did not mean the threshold under Reconnaissance Protection.  I mean the threshold under Flood Protection.  The defaults are 10,000 fro Alarm Rate and Activate, and 40,000 for maximum connections/sec.

Those are already pretty high.  Alarm and active reates are 59,000.  Maximum connections at 100,000.