Understanding DoS Logs and Counters
Palo Alto Networks firewalls provide Zone Protection and DoS Protection profiles to help mitigate against flood attacks,reconnaissance activity, and packet based attacks. As denial of service attacks can originate from many sources at extremely high rates, the firewall will log these types of attacks differently from other logging events to ensure that the firewall’s resources are not depleted by the attack.
This tech note in the pdf attached below identifies and describes the key log events and counters of interest related to these log types.
CLI commands used in the tech note:
show counter global filter delta yes aspect dos show running dos-policy show zone-protection zone <zonename> show dos-protection zone <zonename> blocked source show dos-protection rule <rulename> settings show dos-protection rule show session packet-bufferprotection show session packet-bufferprotection zones show dos-block-table all show dos-block-table summary
show log threat direction equal backward