Palo Alto Networks Knowledgebase: SSH/SSL Packet Count Low for Large Data Transfer
SSH/SSL Packet Count Low for Large Data Transfer
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:40 PM
Reporting and Logging
A log event shows 1+ gigabytes transferred, but only 8 packets.
By default, once the Palo Alto Networks firewall identifies an application using the first few initial packets, it uses the Fast Path through the hardware chip to send data. When the firewall uses Fast Path for an SSH or SSL application, it doesn't keep track of the packets because they are encrypted. It counts the bytes, though, which is why there are only 6 or 8 packets for gigabytes of data.
Use the following command to turn off session offload. Every packet will then be sent to the SlowPath and counted.
> set session offload no
Note: Setting no session offload may lower throughput performance by 15% or more. It should always be used with caution and revert back to on when troubleshooting is done.