Why I see no logs for DoS policies


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L4 Transporter

Why I see no logs for DoS policies

I am testing DoS policies and have alarm rate set as 1. I did not intend to be that low but I was not seeing logs under monitor for a server that is continuously used. There are  flood logs from Zone Protection and they use a different log forwarding profile for easy differentiation. 

DOS policy


Aggregate and classified profiles used in policy



Community Team Member

Here is some information that may help.. 


Global Counters for DoS Activity Monitoring
To supplement the Threat event logs for Zone and DoS protection, the following CLI commands can provide additional
information in the form of global counters and session count information to help identify DoS activity.
>show counter global name ?              Lists all global counters
>show counter global filter aspect dos   List all global counters with active DoS aspect values


Counter Aspects
PAN-OS allows filtering of the Global Counters by category, aspect, and severity to make it easy to pull the relevant
counters for review. Counters of interest that are related to Zone and DoS protection include:
Category: Flow Aspect: dos
Category: Flow Aspect: parse
Category: Flow Aspect: ipfrag


Example of CLI command to extract Flow counters with a DoS aspect:
>show counter global filter category flow aspect dos

LIVEcommunity team member
Stay Secure,
Don't forget to Like items!
L4 Transporter

@jdelio  I checked and as you can see below on setting the filter to that IP i can see Syn cookies are sent. But why does it not show in logs is my problem. I know its not much but its still higher than alarm rate of 1 and should show in threat logs as cookie sent.



debug dataplane packet-diag set filter match destination X.X.X.X

debug dataplane packet-diag set filter on


show counter global filter delta yes packet-filter yes aspect dos

Global counters:
Elapsed time since last sampling: 7.374 seconds


name value rate severity category aspect description
flow_dos_syncookie_cookie_sent 16 1 info flow dos TCP SYN cookies: cookies sent, aggregate profile/zone
flow_dos_syncookie_ack_rcv 25 1 info flow dos TCP SYN cookies: ACKs to cookies received, aggregate profile/zone
flow_dos_cl_syncookie_ack_rcv 4 0 info flow dos TCP SYN cookies: ACKs to cookies received, classified profile
flow_dos_rule_allow_under_rate 78 6 info flow dos Packets allowed: Rate within thresholds of DoS policy
flow_dos_rule_match 78 6 info flow dos Packets matched DoS policy
flow_dos_ag_curr_sess_add_incr 12 0 info flow dos Incremented aggregate current session count on session create
flow_dos_cl_curr_sess_add_incr 12 0 info flow dos Incremented classified current session count on session create



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!