11-26-2012 02:22 AM
Problem description :
Flood log triggered by DoS Protection could not be sent to syslog server.
paloalto deploy: v-wire mode
PANOS : v4.1.8
Settings in paloalto :
1. Device -> Server Profiles -> Syslog -> Add a syslog server with port 514 and LOG_USER facility.
2. Objects -> Log Forwarding -> Add a syslog forwarding profile, all severity(Informational, Low, Medium, High and Critical) under threat settings are set syslog profile.
3. Objects -> DoS Protection -> Add a flood , type 'classified', enable SYN Flood, UDP Flood, ICMP Flood, and Other IP Flood, those alarm rate and active rate is 10 packets/sec.
4. From trust to untrust zone and untrust to trust zone security policy, apply default antivirus profile and log forward to syslog server.
5. Add a DoS Protection policy, from trust to untrust zone, set protect action, and Classified enabled, choose flood profile set in step3, Address choose 'source-ip-only'.
6 commit all settings.
Testing :
1. A client in trust zone, access eicar virus test file, the eicar test file deny log could be viewed in paloalto Monitor -> Logs -> Threat and in syslog server.
2. A client in trust zone, use 'hping' tool to generate tcp flood, the tcp flood log could be viewed in paloalto Monitor -> Logs -> Threat, but syslog is nothing.
Could flood log triggered by DoS Protection not be sent to syslog server?
The attachment is pa-500 configuration and monitor screenshot.
Thanks.
