DotW: Allow Log While Action is Drop-All-Packets

DotW: Allow Log While Action is Drop-All-Packets

0
Created On 09/25/18 19:22 PM - Last Modified 07/19/22 23:11 PM


Resolution


fy16-dotw-lato.png

 

In this week's discussion, user 'jprovine' had a question about why, after creating a spyware profile to set the action "drop-all-packets" to a certain spyware, the log file was still showing an allow entry.  See the example screenshot below:

 

2015-08-04_13-57-55.png

 

The reason this allow action shows up in the logging is that the Palo Alto Networks firewalls use separate databases to log threats and traffic actions. For this threat to be picked up, first a simple session needs to be created which starts off with an outgoing UDP packet that is matched against a security policy to verify if this traffic would be allowed.

 

Once the security policy is checked, a new session is created on the firewall and the UDP packet is allowed to pass on through. This action triggers the allow log to be generated in the traffic log.

 

Only when the payload of the packet passing through is identified as malicious, will the threat engine take action and drop the packet without forwarding the malicious payload. Triggering drop-all-packets log to be written to the threat log.

Two log entries are created:

  • A traffic log indicating the original datastream was allowed to pass through the firewall, as it matched a security policy that allowed it to pass.
  • A threat log indicating that action was taken to prevent malicious payload to pass the firewall.

 

To view the discussion, reference the following link: Drop All Packets

 

All comments or suggestions are encouraged.

 

Thanks for reading,

Tom Piens
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXFCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail