Why I see no logs for DoS policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why I see no logs for DoS policies

L4 Transporter

I am testing DoS policies and have alarm rate set as 1. I did not intend to be that low but I was not seeing logs under monitor for a server that is continuously used. There are  flood logs from Zone Protection and they use a different log forwarding profile for easy differentiation. 

DOS policy

image.png

Aggregate and classified profiles used in policy

image.png

image.png

1 accepted solution

Accepted Solutions

Both Zone Protection and DoS policies cannot have TCP-SYN enabled at the same time, Resolved while troubleshooting with support.

View solution in original post

3 REPLIES 3

L7 Applicator

Here is some information that may help.. 

 

Global Counters for DoS Activity Monitoring
To supplement the Threat event logs for Zone and DoS protection, the following CLI commands can provide additional
information in the form of global counters and session count information to help identify DoS activity.
>show counter global name ?              Lists all global counters
>show counter global filter aspect dos   List all global counters with active DoS aspect values

 

Counter Aspects
PAN-OS allows filtering of the Global Counters by category, aspect, and severity to make it easy to pull the relevant
counters for review. Counters of interest that are related to Zone and DoS protection include:
Category: Flow Aspect: dos
Category: Flow Aspect: parse
Category: Flow Aspect: ipfrag

 

Example of CLI command to extract Flow counters with a DoS aspect:
>show counter global filter category flow aspect dos

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

@jdelio  I checked and as you can see below on setting the filter to that IP i can see Syn cookies are sent. But why does it not show in logs is my problem. I know its not much but its still higher than alarm rate of 1 and should show in threat logs as cookie sent.

 

---------------------------------------------

debug dataplane packet-diag set filter match destination X.X.X.X

debug dataplane packet-diag set filter on

---------------------------------------------

show counter global filter delta yes packet-filter yes aspect dos


Global counters:
Elapsed time since last sampling: 7.374 seconds

 

name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_dos_syncookie_cookie_sent 16 1 info flow dos TCP SYN cookies: cookies sent, aggregate profile/zone
flow_dos_syncookie_ack_rcv 25 1 info flow dos TCP SYN cookies: ACKs to cookies received, aggregate profile/zone
flow_dos_cl_syncookie_ack_rcv 4 0 info flow dos TCP SYN cookies: ACKs to cookies received, classified profile
flow_dos_rule_allow_under_rate 78 6 info flow dos Packets allowed: Rate within thresholds of DoS policy
flow_dos_rule_match 78 6 info flow dos Packets matched DoS policy
flow_dos_ag_curr_sess_add_incr 12 0 info flow dos Incremented aggregate current session count on session create
flow_dos_cl_curr_sess_add_incr 12 0 info flow dos Incremented classified current session count on session create

 

 

Both Zone Protection and DoS policies cannot have TCP-SYN enabled at the same time, Resolved while troubleshooting with support.

  • 1 accepted solution
  • 4352 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!