Palo Alto Networks Knowledgebase: PAN-OS 7.1 New 'session end' reasons

PAN-OS 7.1 New 'session end' reasons

10973
Created On 09/25/18 17:39 PM - Last Updated 07/18/19 20:11 PM
Resolution

The existing session end reason feature is enhanced with new reasons so that the administrator can determine the reason for SSL session terminations during SSL decryption. SSL session end reason information will be visible and usable in traffic log queries through all available interfaces. The session end reason will also be exportable through all means available on the Palo Alto Networks firewall.

 

The new list of session end reasons, according to their precedence. New additions are in bold.

  • threat
  • policy-deny
  • decrypt-cert-validation
  • decrypt-unsupport-param
  • decrypt-error
  • tcp-rst-from-client
  • tcp-rst-from-server
  • resources-unavailable
  • tcp-fin
  • tcp-reuse
  • decoder
  • aged-out
  • unknown

 

decrypt-cert-validation

a) Identify all the places for certification error handling.

Related error code:

  • PAN_SSL_ERROR_INVALID_CERT (-3)
  • PAN_SSL_ERROR_UNTRUSTED_ISSUER (-9)
  • PAN_SSL_ERROR_EXPIRED_CERT (-10)
  • PAN_SSL_ERROR_CLIENT_CERT (-11)
  • PAN_SSL_ERROR_CERT_ON_HSM (-13)

b) Handle FATAL alerts about certification. (refer to RFC5246)

  • bad_certificate
  • unsupported_certificate
  • certificate_revoked
  • access_denied
  • no_certificate_RESERVED (only for SSLv3)

c) SSH does not support certificate validation

 

decrypt-unsupported-param

a) Identify all the places for version/cipher check.

Related error code:

  • PAN_SSL_ERROR_UNSUPPORTED (-2)
  • PAN_SSL_ERROR_HANDSHAKE_FAILURE (-4)
  • PAN_SSL_ERROR_UNSUPPORTED_VER (-7)
  • PAN_SSL_ERROR_UNSUPPORTED_CIPHER (-12)

b) Handle FATAL alerts about unsupported version/cipher. (refer RFC5246)

  • unsupported_extension
  • unexpected_message (for unexpected record types)
  • handshake_failure

c) Identify all unsupported version/ciphers for SSH

Related error code:

  • PAN_SSH_ERROR_VERSION_FROM_CLIENT_UNSUPPORTED (-30)
  • PAN_SSH_ERROR_VERSION_FROM_SERVER_UNSUPPORTED (-31)
  • PAN_SSH_ERROR_KEX_ALGORITHM_FROM_CLIENT_UNSUPPORTED (-40)
  • PAN_SSH_ERROR_KEX_ALGORITHM_FROM_SERVER_UNSUPPORTED (-41)

decrypt-error

a) All other places we didn’t cover above.

Related error code:

  • PAN_SSL_ERROR_GENERAL (-1)
  • PAN_SSL_ERROR_UNMATCHED_KEY (-5)
  • PAN_SSL_ERROR_RESUME_SESSION (-6)
  • PAN_SSL_ERROR_NO_RESOURCE (-8)
  • PAN_SSL_ERROR_HSM_REQRESP (-14)    
  • PAN_SSL_ERROR_HSM_DOWN (-15)
  • PAN_SSL_ERROR_HSM_OTHER (-16)
  • PAN_SSL_HB_HEARTBLEED_DETECTED (-17)
  • PAN_SSL_ERROR_KEY_EXCHANGE (-18)

b) All other FATAL alerts we didn’t cover above.

 

c) All other SSH errors,

Related error code:

  • PAN_SSH_ERROR_EXPECT_MORE (-10)
  • PAN_SSH_ERROR_MAC_INVALID (-20)
  • PAN_SSH_ERROR_DECRYPTION_FAILURE (-21)
  • PAN_SSH_ERROR_ENCRYPTION_FAILURE (-22)
  • PAN_SSH_ERROR_VERSION_TOO_LONG (-32)
  • PAN_SSH_ERROR_VERSION_MALFORMED (-33)
  • PAN_SSH_ERROR_KEX_UNEXPECTED_MESSAGE (-42)
  • PAN_SSH_ERROR_KEX_PACKET_TOO_LONG (-43)
  • PAN_SSH_ERROR_KEX_METHOD_SPECIFIC (-44)
  • PAN_SSH_ERROR_KEX_TOO_FREQUENT (-45)
  • PAN_SSH_ERROR_BUFFER_FULL (-50)
  • PAN_SSH_ERROR_BUFFER_READ_OUT (-51)
  • PAN_SSH_ERROR_BUFFER_DEST_TOO_SHORT (-52)
  • PAN_SSH_ERROR_BUFFER_BIGNUM_NEGATIVE (-53)
  • PAN_SSH_ERROR_BUFFER_BIGNUM_TOO_SMALL (-54)
  • PAN_SSH_ERROR_BUFFER_BIGNUM_TOO_BIG (-55)
  • PAN_SSH_ERROR_BUFFER_BIGNUM_FAILURE (-56)
  • PAN_SSH_ERROR_RESOURCE_UNAVAILABLE (-60)
  • PAN_SSH_ERROR_INTERNAL (-70)


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHGCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language