如何检查会话是否已建立以及父会话信息
52221
Created On 04/26/19 09:18 AM - Last Modified 03/26/21 17:39 PM
Objective
如何检查会话是否通过预测建立,以及如何检查父会话信息。
Environment
PAN-OS
Procedure
要获取预测会话列表,您可以运行:
显示会话所有筛选器类型预测
admin@Firewall> show session all filter type predict -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 504 ftp-data ACTIVE PRED 10.59.59.132[0]/L3-DMZ/6 (10.59.59.132[0]) vsys1 172.16.59.100[16889]/L3-Inside (172.16.59.100[16889])
会话详细信息将显示父会话:
admin@Firewall> show session id 504
Session 504
c2s flow:
source: 10.59.59.132 [L3-DMZ]
dst: 172.16.59.100
proto: 6
sport: 0 dport: 16889
state: ACTIVE type: PRED
src user: unknown
dst user: unknown
s2c flow:
source: 172.16.59.100 [L3-Inside]
dst: 10.59.59.132
proto: 6
sport: 16889 dport: 0
state: OPENING type: PRED
src user: unknown
dst user: unknown
start time : Fri Apr 26 01:40:38 2019
timeout : 60 sec
time to live : 27 sec
total byte count(c2s) : 0
total byte count(s2c) : 0
layer7 packet count(c2s) : 0
layer7 packet count(s2c) : 0
vsys : vsys1
application : ftp-data
rule :
service timeout override(index) : False
session to be logged at end : False
session in session ager : True
session updated by HA peer : False
parent session : 409
prediction triggered by : client
prediction matched once : True
end-reason : unknown
行"父会话"表示父会话。 现在,您可以使用:
显示会话 <id></id> ID来获取父会话的详细信息
admin@Firewall> show session id 409 Session 409 c2s flow: source: 172.16.59.100 [L3-Inside] dst: 10.59.59.132 proto: 6 sport: 16816 dport: 21 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 10.59.59.132 [L3-DMZ] dst: 172.16.59.100 proto: 6 sport: 21 dport: 16816 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Fri Apr 26 01:32:30 2019 timeout : 1800 sec time to live : 1762 sec total byte count(c2s) : 921 total byte count(s2c) : 783 layer7 packet count(c2s) : 14 layer7 packet count(s2c) : 9 vsys : vsys1 application : ftp rule : Inside-DMZ service timeout override(index) : False session to be logged at end : True session in session ager : True session updated by HA peer : False layer7 processing : enabled ctd version : 2 URL filtering enabled : False session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/5 egress interface : ethernet1/4 session QoS rule : N/A (class 4) end-reason : unknown
当数据包到达预测会话时,它转换为正常流会话。
admin@Firewall> show session id 506 Session 506 c2s flow: source: 10.59.59.132 [L3-DMZ] dst: 172.16.59.100 proto: 6 sport: 20 dport: 16889 state: ACTIVE type: FLOW src user: unknown dst user: unknown offload: Yes s2c flow: source: 172.16.59.100 [L3-Inside] dst: 10.59.59.132 proto: 6 sport: 16889 dport: 20 state: ACTIVE type: FLOW src user: unknown dst user: unknown offload: Yes start time : Fri Apr 26 01:41:54 2019 timeout : 15 sec time to live : 1 sec total byte count(c2s) : 22061222 total byte count(s2c) : 513606 layer7 packet count(c2s) : 20465 layer7 packet count(s2c) : 8560 vsys : vsys1 application : ftp-data rule : Inside-DMZ service timeout override(index) : False session to be logged at end : True session in session ager : True session updated by HA peer : False layer7 processing : completed URL filtering enabled : False session via prediction : True use parent's policy : True parent session : 409 refresh parent session : True session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/4 egress interface : ethernet1/5 session QoS rule : N/A (class 4) tracker stage firewall : TCP FIN tracker stage l7proc : ctd app has no decoder end-reason : tcp-fin
要了解 FLOW ""会话是否通过预测安装,请检查是否有名为"通过预测进行会话"的行。 如果它被设置为"真实",则这意味着会话通过 PRED 安装。 只有当会话处于状态时,才能看到父会话信息 ACTIVE 。
如果会话移动到 INIT (已关闭),则父会话信息将丢失。
admin@Firewall> show session id 506 Session 506 c2s flow: source: 10.59.59.132 [L3-DMZ] dst: 172.16.59.100 proto: 6 sport: 20 dport: 16889 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 172.16.59.100 [L3-Inside] dst: 10.59.59.132 proto: 6 sport: 16889 dport: 20 state: INIT type: FLOW src user: unknown dst user: unknown start time : Fri Apr 26 01:41:54 2019 timeout : 15 sec total byte count(c2s) : 22077452 total byte count(s2c) : 513786 layer7 packet count(c2s) : 20481 layer7 packet count(s2c) : 8563 vsys : vsys1 application : ftp-data rule : Inside-DMZ service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False layer7 processing : completed URL filtering enabled : False session via prediction : True use parent's policy : True session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/4 egress interface : ethernet1/5 session QoS rule : N/A (class 4) tracker stage firewall : TCP FIN tracker stage l7proc : ctd app has no decoder end-reason : tcp-fin
在上述输出中,您可以看到"父会话"行不可用,但我们仍可以通过预测查看会话是否确实可用。
Additional Information
ALG 有能力的会话不卸载。 要检查应用程序是否可以创建预测会话,请创建应用程序定义 CLI 。 Web 界面不显示此信息。
admin@Firewall# show predefined application ftp
ftp {
category general-internet;
subcategory file-sharing;
technology client-server;
alg yes; <<<<
appident yes;
什么是预测会话? 有关预测会话的更多信息,请参阅以下文章
:Palo Alto 网络 Firewall 会话概述
会话状态和类型