Problem description : Flood log triggered by DoS Protection could not be sent to syslog server. paloalto deploy: v-wire mode PANOS : v4.1.8 Settings in paloalto : 1. Device -> Server Profiles -> Syslog -> Add a syslog server with port 514 and LOG_USER facility. 2. Objects -> Log Forwarding -> Add a syslog forwarding profile, all severity(Informational, Low, Medium, High and Critical) under threat settings are set syslog profile. 3. Objects -> DoS Protection -> Add a flood , type 'classified', enable SYN Flood, UDP Flood, ICMP Flood, and Other IP Flood, those alarm rate and active rate is 10 packets/sec. 4. From trust to untrust zone and untrust to trust zone security policy, apply default antivirus profile and log forward to syslog server. 5. Add a DoS Protection policy, from trust to untrust zone, set protect action, and Classified enabled, choose flood profile set in step3, Address choose 'source-ip-only'. 6 commit all settings. Testing : 1. A client in trust zone, access eicar virus test file, the eicar test file deny log could be viewed in paloalto Monitor -> Logs -> Threat and in syslog server. 2. A client in trust zone, use 'hping' tool to generate tcp flood, the tcp flood log could be viewed in paloalto Monitor -> Logs -> Threat, but syslog is nothing. Could flood log triggered by DoS Protection not be sent to syslog server? The attachment is pa-500 configuration and monitor screenshot. Thanks.
... View more