Traffic log at session start shows a different rule & URL category

Traffic log at session start shows a different rule & URL category

21110
Created On 09/26/18 13:55 PM - Last Modified 06/06/23 19:45 PM


Resolution


If traffic log at session 'start' is enabled then there will be logs seen with incorrect security rule.

 

For exacmple, a general outbound Trust to Untrust allow any application security rule exist (lower in the order)

A rule exists up in the order 'OTS_Allow_Microsoft_Licensing' to allow only selective URLs.

 

The security rules are scanned from top to bottom.

When the traffic is received, first security rule in the order will be matched to allow traffic while firewall is still identifying the correct URL and matching security rule.

The session brower or CLI will show correct matching rule.

However the traffic log at 'session start' (pic) will show a non-matching rule. However keep in mind that the traffic is still not allowed.

The traffic log at 'session end' will show the correct rule which allowed the traffic.

 

 

traffic-sessionrule.JPG.jpg
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm27CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language