Use the CLI to End a Single Attacking Session
To mitigate a single-session DoS attack, you would still Configure DoS Protection Against Flooding of New Sessions in advance. At some point after you configure the feature, a session might be established before you realize a DoS attack (from the IP address of that session) is underway. When you see a single-session DoS attack, perform the following task to end the session, so that subsequent connection attempts from that IP address trigger the DoS protection against flooding of new sessions.
Use the CLI to End a Single Attacking Session
Identify the source IP address that is causing the attack. For example, use the firewall Packet Capture feature with a destination filter to collect a sample of the traffic going to the destination IP address. Alternatively, in PAN-OS 7.0 and later, you can use ACC to filter on destination address to view the activity to the target host being attacked.
Create a DoS Protection policy rule that will block the attacker’s IP address after the attack thresholds are exceeded.
Create a Security policy rule to deny the source IP address and its attack traffic.
End any existing attacks from the attacking source IP address by executing the clear session all filter source <ip-address> operational command. Alternatively, if you know the session ID, you can execute the clear session id <value> command to end that session only. If you use the clear session all filter source <ip-address> command, all sessions matching the source IP address are discarded, which can include both good and bad sessions.
After you end the existing attack session, any subsequent attempts to form an attack session are blocked by the Security policy. The DoS Protection policy counts all connection attempts toward the thresholds. When the Max Rate threshold is exceeded, the source IP address is blocked for the Block Duration, as described in Sequence of Events as Firewall Quarantines an IP Address.

Related Documentation