Palo Alto Networks Knowledgebase: Traffic Logs with Session End Reason as Threat

Traffic Logs with Session End Reason as Threat

14990
Created On 02/07/19 23:43 PM - Last Updated 02/07/19 23:44 PM
WildFire
Symptom

Symptoms

Certain traffic logs show the Session End Reason as Threat, although no threat is observed in the Threat Logs or Data Filtering Logs for the source and destination IP pair. The following is a snippet of the traffic log detail of such a log:

Threat-FileType-1.png

Diagnosis

The Threat Log in the image depicts the threat as a Type: File for SkypeSetupFull.exe, with action Forward. The Threat ID under the Details section shown is 52060. 

Find the threat ID 52060 in the screenshot above without any Threat Name. Using the CLI, run the following command:

 

> show threat id <threatid>

 

Example:

admin@104B-PA-VM-100> show threat id 52060

Microsoft Portable Executable (PE) file upload or download has been detected.

low
file-blocking

The Threat ID observed is that of a File Type Identification ID. This states that a PE file was downloaded/uploaded in the network and triggered this ID. This ID cannot be located on the Threat Vault and can only be identified via the CLI.



Resolution

This is expected behavior and is occurring due to File Blocking Profile with actions Alert, Forward, and Continue-Forward for the different file types downloaded. File type identification signatures have threat IDs associated with them.

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmzCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language