Detecting Flood Protection Events

Enable Additional Threat Logging:
```
set system setting additional-threat-log on
```
This command enables the firewall to generate Threat logs for various packet-based attacks, including floods.
View Zone Protection Statistics:
```
show zone-protection zone <zone-name>
```
Replace <zone-name> with the actual name of the zone you wish to inspect. Look for incrementing drop counters related to flood protection.
Check Interface Statistics:
```
show interface ethernet1/1
```
This command provides interface statistics, including drops related to Zone Protection.
Monitor Global Counters:
```
show counter global filter severity drop
```
This helps identify packets dropped due to protection profiles.
Analyze Resource Utilization:
```
show running resource-monitor
```
This command provides information on CPU and memory usage, which can indicate flood attacks.

Monitor Threat Logs:
Navigate to Monitor > Logs > Threat .

Apply the following filter to view flood protection events:
```
( subtype eq 'flood' )
```
This displays logs where flood protection mechanisms were triggered. Note that for Zone Protection Profile-detected floods, the source and destination IPs may not be displayed.
Configure Log Forwarding:
To ensure that flood protection events are forwarded to external systems:
1. Navigate to Objects > Log Forwarding .
2. Create or edit a log forwarding profile to include Threat logs with subtype 'flood'.
3. Apply this profile to the relevant security policies.
Review Dashboard Alarms:
Flood protection events can also trigger alarms visible on the dashboard:
1. Navigate to Dashboard > Alarms .
2. Look for alarms related to flood protection thresholds being exceeded.

🔍 Detecting Flood Protection Events