Why do we see zero bytes in the traffic log for allowed rule?
29759
Created On 09/18/19 21:37 PM - Last Modified 07/16/24 03:00 AM
Question
Why does my traffic log show zero bytes of sent and received data for an allowed rule?
Environment
- PA-5200, PA-5400f, PA-5450 and PA-7000 series Firewalls
- Supported PAN-OS
- Dynamic NAT configured
Answer
When Dynamic NAT is configured on 5200 and 7000 series firewalls, session creation software creates transient sessions to deliver the traffic internally between chipsets. These sessions have a traffic of 0 bytes and will have session end reason as unknown. This behavior is confirmed to be an expected behavior and can be safely ignored and is not an indication of dropped traffic.
Additional Information
In the traffic logs, you can observe two log entries with same source port. The first log entry will be for zero byte traffic indicating transient internal session with end reason unknown and the second log will have the actual traffic with both send and received bytes.
Note1: If connectivity is broken between source and destination through the firewall then this KB is not applicable and the issue needs further troubleshooting.
Note 2: Zero byte traffic can also be seen for Predict sessions. Refer Predict session for more details.