How to mitigate an abnormal increase in "flow_dos_drop_ip_blocked" global counter

• To mitigate an abnormal increase in flow_dos_drop_ip_blocked global counter.

> show counter global filter delta yes
flow_dos_drop_ip_blocked x y drop flow dos Packets dropped: Flagged for blocking and under block duration by DoS or other modules

• This counter flow_dos_drop_ip_blocked increments when a packet is dropped due to DoS, PBP or vulnerability profile "Block IP" action. 

• Next Generation Firewall
• Supported PAN-OS
• DoS, PBP or vulnerability profile
• flow_dos_drop_ip_blocked global counter

1. Check your firewall system and threat logs: MONITOR> Logs> System and MONITOR> Logs> Threat
2. Inspect the IP block list via CLI:

   > show dos-block-table all
   > debug dataplane show dos block-table

3. Alternatively, check the UI Block IP List Entries under : MONITOR > Block IP List.
4. Check if other global counters are incrementing along with flow_dos_drop_ip_blocked using CLI:

   > show counter global | match drop
   > show counter global filter delta yes | match drop

   This step can help correlate if the packet drops are related to Packet Buffer Protection when for example the global counter flow_dos_pbp_block_host is also seen incrementing.
5. Ensure to review the firewall's configuration:
   1. DOS and Zone protection configuration under UI :
      • POLICIES > DoS Protection,
      • OJECTS > Security Profiles > DoS Protection
      • NETWORK > Network Profiles > Zone Protection> reconnaissance protection: ACTION > block-ip 
   2. Packet Buffer Protection configuration both global and zone settings under
      • DEVICE > Setup > Session > Session settings
      • NETWORK > Zone.
   3. Vulnerability Profile under
      • OBJECTS > Security Profiles > Vulnerability Protection.
6. If based on the preceding steps, the firewall action to block this IP is expected then attempt to block the traffic at its source.
7. However, if the blocked IP is trusted and dropping traffic sourced from it is not the desired behavior from the firewall then:
   1. If the blocked IP occurred because of a configured DOS Protection policy rule with the Action to Protect and a Classified DoS Protection profile, then adjust the DOS Protection Profile settings or edit the DOS policy rule. To clear all IPs blocked by a specific DOS Protection rule use

      > debug dataplane reset dos rule "DOS Protection" classification-table

   2. If the blocked IP occurred because of a configured Zone Protection Profile then check Zone protection profile blocking trusted traffic. Instead of using "debug dataplane reset dos block-table" which will reset the complete dos block-table use:

      > debug dataplane reset dos zone <zone-name> block-table source x.x.x.x

       to specifically delete the block entry related to the trusted IP.
   3. If the blocked IP occurred because of a configured PBP then consider disabling the PBP for the trusted zone or adjusting the PBP settings under DEVICE > Setup > Session > Session settings.
   4. If the blocked IP occurred because of vulnerability protection profile then,
      1. If the desired behavior is for example to block a certain type of application from that IP that is triggering the Vulnerability detection, then create a policy security rule above the existing rule that is triggering the block IP behavior and deny that application from that source IP.
      2. If the desired behavior is to exempt a certain IP from a specific vulnerability then enable the exception for that threat ID under OBJECTS > Security Profiles > Vulnerability Protection then select the Vulnerability Protection Profile (which is attached to the security rule that is triggering the block IP behavior for that particular IP) then click the Exceptions tab then add the IP under the IP Address Exemptions.

What effect does Packet Buffer Protection have if it is enabled globally but not enabled on Zones?

Block tables (SW and HW) are only used by:

• Classified DoS Protection profile
• Reconnaissance Protection (configured in a Zone Protection Profile)
• Packet Buffer Protection (PBP)
• Vulnerability Protection (with Action "Block IP")