📊 Zone Protection Profile Log Analysis

1. Understanding Log Types

Zone Protection Profile events are recorded in the Threat Logs with specific subtypes:

• flood – Indicates flood protection events (e.g., SYN, ICMP floods).
• scan – Denotes reconnaissance protection events (e.g., port scans, host sweeps).
• packet – Represents packet-based attack protection events (e.g., malformed packets).

These subtypes help in filtering and identifying specific protection events in the logs.

2. Enabling Detailed Logging

To ensure that all relevant Zone Protection events are logged, enable additional threat logging via CLI:

set system setting additional-threat-log on

This command allows the firewall to generate Threat logs for various packet-based attacks, including:

• Teardrop attacks
• Ping of death
• IP spoofing
• Large ICMP packets
• Non-SYN TCP packets initiating sessions

Note: This setting is available in PAN-OS 8.1.2 and later versions.

3. CLI Commands for Monitoring

Use the following CLI commands to monitor Zone Protection activities:

• show zone-protection zone <zone-name> – Displays statistics for the specified zone.
• show counter global filter severity drop – Shows global drop counters, useful for identifying dropped packets due to protection profiles.
• show interface ethernet1/1 – Provides interface statistics, including drops related to Zone Protection.

Replace <zone-name> with the actual name of the zone you wish to inspect.

4. GUI Navigation for Log Analysis

To view Zone Protection events in the GUI:

1. Navigate to Monitor > Logs > Threat .
2. Use the following filters to isolate specific events:
   • ( subtype eq 'flood' ) – For flood protection events.
   • ( subtype eq 'scan' ) – For reconnaissance protection events.
   • ( subtype eq 'packet' ) – For packet-based attack protection events.

These filters help in quickly identifying and analyzing relevant security events.

5. Best Practices

• Ensure Traffic is Allowed: Zone Protection profiles only log events for traffic that is permitted by security policies. If traffic is denied by a policy, Zone Protection will not generate logs for it.
• Regularly Monitor Logs: Consistently review Threat Logs to identify and respond to potential threats promptly.
• Customize Log Forwarding: Create separate log forwarding profiles for Zone Protection events to streamline monitoring and alerting.
• Stay Updated: Keep the firewall's PAN-OS version up to date to benefit from the latest security features and logging capabilities.

6. Additional Resources

• Threat Log Fields - Palo Alto Networks Documentation
• Zone Protection Profiles - PAN-OS Admin Guide
• Zone Protection and DoS Protection - PAN-OS Admin Guide
• Seeing the Results of a Zone Protection Profile in Logs - Reddit Discussion
• Palo Alto Firewall Training | Zone Protection Profiles - YouTube