Palo Alto Networks Knowledgebase: QoS not Applied on Predict Type Sessions

QoS not Applied on Predict Type Sessions

1540
Created On 02/08/19 00:02 AM - Last Updated 02/08/19 00:02 AM
Policy
Resolution

Issue

Predict type sessions which are created by the firewall based on application behavior do not list a QoS class.

Cause

The Palo Alto Networks firewall has the capability to create predict sessions which are intended to match traffic not explicitly allowed by security policy. One example of this functionality is active FTP traffic. When the FTP control channel passes a command which open a second session for the data channel, the firewall creates a predict session to allow the traffic even though the security policy does not allow the traffic. Other applications such as SIP, bittorrent, and tftp also use this mechanism to open sessions based on application traffic behavior.

When the first, or parent, session matches a QoS policy defined on the firewall, that session will have the QoS class updated correctly along with the QoS policy which matched the traffic.

Session              53

        c2s flow:

                source:      192.168.243.3 [Zone2]

                dst:         192.168.143.33

                proto:       6

                sport:       58363           dport:      21

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/3, qos member N/A Qid 0

        s2c flow:

                source:      192.168.143.33 [Zone1]

                dst:         192.168.243.3

                proto:       6

                sport:       21              dport:      58363

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/4, qos member N/A Qid 0

        start time                    : Thu May 30 16:18:59 2013

        timeout                       : 1800 sec

        time to live                  : 1798 sec

        total byte count(c2s)         : 839

        total byte count(s2c)         : 819

        layer7 packet count(c2s)      : 12

        layer7 packet count(s2c)      : 8

        vsys                          : vsys1

        application                   : ftp

        rule                          : Replay

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4

        egress interface              : ethernet1/3

        session QoS rule              : FTP (class 5)

When the application traffic on the first session requires that a second session be opened a predict session will be created. This "PRED" type session will not contain a QoS class or rule match.

Session              54

        c2s flow:

                source:      192.168.243.3 [Zone2]

                dst:         192.168.143.33

                proto:       6

                sport:       0               dport:      3724

                state:       ACTIVE          type:       PRED

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/3, qos member N/A Qid 0

        s2c flow:

                source:      192.168.143.33 [Zone1]

                dst:         192.168.243.3

                proto:       6

                sport:       3724            dport:      0

                state:       OPENING         type:       PRED

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/4, qos member N/A Qid 0

        start time                    : Thu May 30 16:19:01 2013

        timeout                       : 60 sec

        time to live                  : 9 sec

        total byte count(c2s)         : 0

        total byte count(s2c)         : 0

        layer7 packet count(c2s)      : 0

        layer7 packet count(s2c)      : 0

        vsys                          : vsys1

        application                   : ftp-data

        rule                          :

        session to be logged at end   : False

        session in session ager       : True

        session synced from HA peer   : False

        prediction triggered by       : server

        prediction matched once       : True

The predict created from the traffic seen on the parent session does not have a QoS rule applied until it has been converted to an active session due to matching traffic being received by the firewall.

Session              55

        c2s flow:

                source:      192.168.243.3 [Zone2]

                dst:         192.168.143.33

                proto:       6

                sport:       46534           dport:      3724

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/3, qos member N/A Qid 0

        s2c flow:

                source:      192.168.143.33 [Zone1]

                dst:         192.168.243.3

                proto:       6

                sport:       3724            dport:      46534

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/4, qos member N/A Qid 0

        start time                    : Thu May 30 16:21:13 2013

        timeout                       : 30 sec

        time to live                  : 27 sec

        total byte count(c2s)         : 272

        total byte count(s2c)         : 1713

        layer7 packet count(c2s)      : 4

        layer7 packet count(s2c)      : 4

        vsys                          : vsys1

        application                   : ftp-data

        rule                          : Replay

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via prediction        : True

        use parent's policy           : True

        parent session                : 53

        refresh parent session        : True

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4

        egress interface              : ethernet1/3

        session QoS rule              : FTP (class 5)

Resolution

The behavior of the predict type session to not include a QoS class is expected behavior. Once a session is converted from a predict to an active session the parent's QoS policy will be applied.

owner: kfindlen



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXzCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language