Why some scan/flood signatures (8001,8002, 8501,8502 etc.) do not have the rule names in threat log?

Why some scan/flood signatures (8001,8002, 8501,8502 etc.) do not have the rule names in threat log?

482
Created On 05/04/23 15:11 PM - Last Modified 10/30/25 20:30 PM


Question


Why some scan/flood signatures (8001,8002, 8501,8502 etc.) do not have the rule names in threat log?

Environment


PanOS
DoS/Zone Protection enabled

Answer


When the threat signatures (spyware, vulnerability, antivirus, wildfire, dns) get triggered, the threat log captures the rule name related to the matching traffic log. This is the security rule name.

When the threat signatures related to DoS/Zone Protection get triggered, it logs the rule name in threat log if it is triggered by the DoS Protection Policy. This is the DoS rule name; not a security rule name. 

If the threat signatures get triggered by the Zone Protection settings, the rule name is blank. There is no separate policy for the Zone Protection. 

Additional Information


  • What are the Threat IDs for Scan and Flood associated with Zone Protection?
     https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPklCAG
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHp9CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail