Palo Alto Networks Firewall Session Overview
On a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone.
Besides the six attributes that identify a session, each session has few more notable identifiers:
- End hosts - The source IP and destination IP which will be marked as client(source IP) and server(destination IP)
- Flow direction - Since each session is identified by a two uni-directional flow, each flow must be properly identified. Palo Alto Networks firewalls will identify the first flow as client-to-server(c2s) and the returning flow as server-to-client(s2c).
Show Session command
To view any information related to sessions the user can use the > show session command followed by the desired option:
- > show session all will show all current sessions that are processed by the firewall at the time when command is entered.
Note: There is a limit in the number of sessions that can be shown with the > show session all command. The limit is based on the byte size of the session which cannot be changed.
Please refer to the following document for more information: Can the Whole Session Log be Exported?
- > show session id [ID] will show detailed information on a session based on the entered session ID
- > show session info will display the general configuration on the firewall regarding session management and their current statistics
- > show session meter will display the maximum number of sessions for each VSYS on firewalls with Multiple Virtual System capability
Below is an example output from the > show session id command:
In the screenshot below, identify some of the important details of a session:
- Session ID - In the example, the session ID is 524342
- c2s flow and s2c flow - Identifies flow of traffic from Client to Server (c2s) and from Server to Client (s2c).
- Source and dst (destination) address with zone - Identifies the source and dst addresses for each flow of the session. In the above example, the dst IP in s2c flow does not match the source IP in c2s flow due to a dynamic-ip-and-port source NAT.
- Source (sport) and destination port (dport) - Identifies source and destination ports for each flow of the session. In the example, the c2s and s2c flows show different ports due to the configured NAT policy.
- src user and dst user - If User-ID is configured on the firewall, the users would be identified if available.
- state - The state of the session. The states are defined below, in the following section.
- type - There are 2 types of sessions: FLOW and PREDICT. The session types are defined below, in the following section.
Session types, states and flags
On Palo Alto Networks firewalls there are two types of sessions:
- Flow - Regular type of session where the flow is the same between c2s and s2c (ex. HTTP, Telnet, SSH).
- Predict - This type is applied to sessions that are created when Layer7 Application Layer Gateway (ALG) is required. The application has been identified and there is need for a new session to be allowed on the firewall without any additional security rule (ex. FTP active/passive, voice protocols h323/sip etc). These sessions may be created with a 0 as source/destination IP/port, since that information may not be known yet. Packets that match the Predict sessions will then change to normal FLOW session.
In order to have a granular view of the Predict (PRED) sessions on the firewall, use the > show session all filter type predict command. The command will display only the predict session that are currently active on the firewall. This command might not show many predict sessions on the firewall due to the fact that each predict session will become a FLOW session once it is matched by a single packet. Therefore, the command will show only the predict sessions that are currently pending to be matched by packets.
Note: Each application's predict session has its own timeout setting.
In the following example is the output of a PREDICT session created for FTP Active mode:
The screenshot above shows the number of packets as 0 for both directions and that the predict session has been triggered by the client.
Each session will be in a certain state at any given time. There are three states, know as the Stable states, that will appear most in the session table:
- INIT - Every session begins, by default, in INIT state. A session in the INIT state is part of the free pool and can be used at anytime. The session may been used previously, but has now been returned back into the free pool.
- ACTIVE - Any session that matches a particular traffic flow, and has been processed for inspection and forwarding.
- DISCARD - Traffic that has been matched by a session but is denied due to a security policy, threat detection.
The other states of a session in the Palo Alto Networks firewall are: Opening, Closing, Closed and Free. These states are called Transient. Sessions in Transient states are difficult to see as they make the transition to one of the Stable states very quickly.
Under normal conditions, each state will go through the following transition cycle: Init > Opening > Active > Discard/Closing > Closed > Free. From the Free state, the session will move back to the initial session state(INIT) to start the next cycle. The following state transition represents the session life cycle:
The most important state in the life cycle is the Active state. From Active state, the session will transition to either the Discard or Closing state based on the following conditions:
- If the session timeout has been reached, the session will timeout and transition to Closing. Session timeout is described in the following section.
- If the traffic has been denied due to a security rule or a threat has been detected(with the action set to drop), the session will transition to Discard.
In the output of > show session all each session can be identified by a flag value. The meaning of each session flag value is described below:
- NS - There has been Source NAT applied on the session
- ND - There has been Destination NAT applied on the session
- NB -There has been Both Source + Destination NAT applied on the session
- No flag - There is no NAT applied on the session.
Each session has a defined timeout value which is configurable on the device. There are a few details that can be observed regarding the timer of a session by looking at the output of the > show session id command. The screenshot below shows the output of a DNS session through the firewall:
Three significant details about the session timeout are:
- Timeout - The specific timeout configured for the application.
- Time to live - The time left until the session will expire. In the example, there are 2 seconds left until the session will expire and session state will change.
- Session in session ager - For each session there is a flow ager, which is an aging process that keeps track of the lifetime of sessions. As long as the session is Active and time to live did not reach 0 sec, the session in session ager will be marked as True.
In the following example, see the output of the same session, but now the session has timed out (due to no traffic matching the session):
Now see that the session state is Closed and also the session in session ager has turned to False.
Session management in HA deployment
In deployments where High Availability is being used, certain active sessions that are not created on the local firewall, but on the peer device must be synchronized between peers. Having these sessions synchronized between peers, in case of fail-over the active sessions will not be lost and the traffic flow will continue on the other device(Active in case of Active/Passive deployment). For details about deployment scenarios involving HA please consult the Admin Guide at HA section.
The user can tell if a session has not been created on the local firewall by looking at the session synced from HA peer from >show session id output. A session created locally on the firewall will have the False value and one created on the peer device and synchronized to the local firewall will have the True value.
The > show session id command displays other information regarding the traffic flow through the firewall. While much of the additional information is for advanced troubleshooting by Palo Alto Networks support representatives, here are three attributes that may be useful for self-troubleshooting:
- Session to be logged at the end - When configuring the security rules there are 2 options for rule logging: at the end (True) or at the start (False) of the session.
In this example (see the above screenshot), the configuration has specified that the rule should be logged at the end.
- Offload yes - Marks the traffic for which the application has been identified already and it will be processed in hardware.
- Layer7 processing - If enabled, then App-ID has been enabled on the traffic flow and the application is constantly identified. If Layer7 processing is set to complete, then the application has been identified.