Unable to See the Threat Logs for Packet Based Attack
Symptom
When Zone Protection is enabled for a Zone and there is a packet based attack, threat logs are not being shown even though the logs are being forwarded for Zone Protection. The screenshots below describe this scenario.
The Packet Based Attack protection is configured in the Network > Zone Protection:
For this scenario, a zone was added to create a Zone Protection Profile with Packet Based Attack Protection:
Under Network > Zones the Zone Protection Profile was used, as shown above in the zones.
In this scenario, a Log Forwarding profile was added in Log Setting > Zone, which forwarded all the Zone Protection logs.
It is expected that the logs for the Zone Protection logs to display in the Monitor > Logs > Threat. However, there are no threat logs being displayed:
Resolution
Prior to PAN-OS 8.1.2
When Packet Based Attack Protection is enabled, packets that match detection criteria will be dropped. This type of traffic is considered noise, and log entries will not be written to the Threat log.
Starting from PAN-OS 8.1.2:
Additional logging can be enabled to have visibility of dropped traffic via the threat logs
- Use the operational CLI command:
> set system setting additional-threat-log on
- Commit the changes on the firewall
Ref: PAN-OS 8.1.2 introduces new log options
owner: achalla