Palo Alto Networks Knowledgebase: Traffic Logs with Session End Reason as Threat

Traffic Logs with Session End Reason as Threat

(2606 Views)
Created On 09/26/18 13:44 PM - Last Updated 09/26/18 14:00 PM
Categories:  WildFire

Issue:


Symptoms

Certain traffic logs show the Session End Reason as Threat, although no threat is observed in the Threat Logs or Data Filtering Logs for the source and destination IP pair. The following is a snippet of the traffic log detail of such a log:

Threat-FileType-1.png

Diagnosis

The Threat Log in the image depicts the threat as a Type: File for SkypeSetupFull.exe, with action Forward. The Threat ID under the Details section shown is 52060. 

Find the threat ID 52060 in the screenshot above without any Threat Name. Using the CLI, run the following command:

 

> show threat id <threatid>

 

Example:

admin@104B-PA-VM-100> show threat id 52060

Microsoft Portable Executable (PE) file upload or download has been detected.

low
file-blocking

The Threat ID observed is that of a File Type Identification ID. This states that a PE file was downloaded/uploaded in the network and triggered this ID. This ID cannot be located on the Threat Vault and can only be identified via the CLI.

Solution:


This is expected behavior and is occurring due to File Blocking Profile with actions Alert, Forward, and Continue-Forward for the different file types downloaded. File type identification signatures have threat IDs associated with them.

 

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmzCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: