When Do Session Start Logs Show Up in the Traffic Logs?

When Do Session Start Logs Show Up in the Traffic Logs?

46616
Created On 09/25/18 19:48 PM - Last Modified 06/07/23 06:48 AM


Resolution


Details

Session start logs are generated on the first data packet and not right after the three-way handshake. For example, if the security policy has logging at session start only and it establishes the three-way handshake between the client and server, and does not send any data, the session will exist on the Palo Alto Networks firewall, but the traffic logs will not have a corresponding log entry. The user will need to push some data through the connection before the session start log will show up.

 

The following are four tested scenarios:

 

Scenario 1

Policy set for logging at session start only

Telnet to a destination host at a higher port 13050. (Do not pass packets through the established telnet session, only establish the three-way handshake)

  1. Check for the established session on the firewall (User will see a session dport: 13050 as active, and only 3 packets can be seen at that time)
  2. Check Monitor > Logs > Traffic. (The user will not find any log for that session, because no data has been passed yet)

 

Scenario 2

Policy set for logging at session start only

Telnet to a destination host at a higher port 13050 and PASS packets through that session

  1. Check for the sessions on the firewall . (User will see a session dport: 13050 as active, and more than three-packets can be seen at that time)
  2. No traffic log for the handshake. The moment traffic passes it creates a log.

 

Scenario 3

Policy set for logging at session start and session end

Telnet to a destination host at a higher port 13050. (Do not pass packets through the established telnet session, only establish the three-way handshake)

  1. Check for the established session on the firewall (User will see a session dport: 13050 as active, and only 3 packets can be seen at that time)
  2. Check monitor > Logs > Traffic. (The user will not find any log for that session, because no data has been passed yet)
  3. Pass some characters/packets through that session and let it time out or kill the telnet session. User will see a 'start' log and 'end' log.

Scenario 4

Policy set for logging at session end only

Telnet to a destination host at a higher port 13050. (Do not pass packets through the established telnet session. Only three-way handshake)

  1. Check for the sessions on the firewall. (User will see a session dport: 13050 as active , only 3 packets can be seen at that time, which is obvious)
  2. Kill the session. (CTRL + C ).  The traffic log for the session can be seen of the TYPE= END

 

owner: pmak
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldwCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language