Session end equals Threat but no threat logs.
41125
Created On 04/09/20 18:24 PM - Last Modified 10/15/24 12:55 PM
Symptom
You see in your traffic logs that the session end reason is Threat. You look in your threat logs and see no related logs. Now what?
Environment
PANOS, threat, file blocking, URL filtering, security profiles
Cause
The reason you are seeing this session end as threat could be due to your file blocking or URL filtering profile being triggered by the traffic which have their own separate logs.
Resolution
You can check your Data Filtering or URL Filtering logs to find this traffic.
- Data Filtering logs: Monitor tab > on the left side under logs select Data Filtering
- URL Filtering logs: Monitor tab > on the left side under logs select URL Filtering
You can also check your Unified logs which contain all of these logs.
- Unified logs: Monitor tab > on the left side under logs select Unified
Once identified, if you want to make changes to a profile to allow this traffic:
- In the Data Filtering or URL Filtering logs, identify the policy rule the traffic is hitting.
- Next, go to that specific security rule and look to see which File Blocking or URL Filtering profile is being used in the policy rule.
- Once you know the profile that is being used, you can then go to the profile at Objects tab >Security Profiles > File Blocking or Objects tab >Security Profiles > URL Filtering.
- Then select the name of the File Blocking or URL Filtering profile. There you can check the configuration of the profile which is causing the traffic to be blocked.
- You can then adjust your File Blocking or URL Filtering profile accordingly to allow this traffic.