How do threat logs look like if UDP flood detected by Classified DoS Profile, Aggregate DoS Profile or Zone Protection Profile?
26532
Created On 05/28/20 07:31 AM - Last Modified 06/08/23 08:29 AM
Symptom
UDP flood can be detected and dropped by DoS policies and/or Zone Protection profiles. The detection/dropped takes place per the thresholds given under the Classified DoS Profile and Aggregate DoS Profile being used under the DoS Policy which the UDP flood hits, as well as the thresholds under the Zone Protection Profile attached to the zone which the UDP flood comes in.
While checking traffic logs it may be quiet confusing to track by which profile the UDP flood was detected and/or dropped. You will see below the view of the threat logs and the log details when the same UDP flood attack is dropped by a Classified DoS Profile, an Aggregate DoS Profile and a Zone Protection Profile consecutively.
Environment
Any PanOS
Any HW/VM
Resolution
This is the view when UDP flood detected and dropped by Classified DoS Profile. You will see the source IP and the destination IP in the logs. You will also see the DoS Policy name "dos-policy" as "Rule" in the Detailed Log View.
This is the view when UDP flood detected and dropped by Aggregate DoS Profile. You will not see the source IP and the destination IP in the logs. You will again see the DoS Policy name "dos-policy" as "Rule" in the Detailed Log View.
This is the view when UDP flood detected and dropped by Zone Protection Profile. You will not see the source IP and the destination IP in the logs. You will also not see any DoS Policy name.