1.1.3 Ensure 'Enable Log on High DP Load' is enabled

Information

Enable the option 'Enable Log on High DP Load' feature. When this option is selected, a system log entry is created when the device's packet processing load reaches 100% utilization.

Rationale:

When the device's packet processing load reaches 100%, a degradation in the availability of services accessed through the device can occur. Logging this event can help with troubleshooting system performance.

Impact:

Sustained attacks, especially volumetric DOS and DDOS attacks will often affect CPU utilization. This setting will generate an event that is easily monitored for and alerted on. While setting CPU utilization watermarks in a Network Management System is a standard practice, this setting does not depend on even having an NMS, it doesn't require anything other than standard logging to implement.

Solution

Navigate to Device > Setup > Management > Logging and Reporting Settings > Log Export and Reporting.
Set the Enable Log on High DP Load box to checked.

Default Value:

Not enabled

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-1, 800-53|AU-2, CSCv7|6.2

Plugin: Palo_Alto

Control ID: cec16f8e0fcf2045980d767027fabaa9183f4524e8fee3e5310f39792d4db206