Session set to discard by security policy check
34351
Created On 02/28/19 19:54 PM - Last Modified 03/07/25 14:23 PM
Symptom
- Traffic dropped by the firewall and you do not see any drop or warn counters when you run global counters for specific source and destination
- You do see Drop pcaps when you do a packet capture for the same source and destination
NOTE:
On how to run global counters for specific source and destination, refer to the below document
Environment
- PA Firewall Hardware / VM
- Software version : 7.x.x or 8.x.x
Cause
There is a application shift due to which appid policy lookup is denied
Resolution
- On Global counters you will be able to see the counter " session_discard - Session set to discard by security policy check"
Example:
PA-Lab> show counter global filter packet-filter yes delta yes Elapsed time since last sampling: 27.462 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_recv 2 0 info packet pktproc Packets received pkt_sent 1 0 info packet pktproc Packets transmitted session_allocated 1 0 info session resource Sessions allocated session_installed 1 0 info session resource Sessions installed session_discard 1 0 info session resource Session set to discard by security policy >>>>>>>>>>>Session discarded check flow_host_pkt_xmt 26 0 info flow mgmt Packets transmitted to control plane flow_host_vardata_rate_limit_ok 26 0 info flow mgmt Host vardata not sent: rate limit ok
- For the source and the destination that you have the connectivity issue, check for any sessions and get into the details of that session
Example:
PA-Lab> show session all filter source 192.168.168.168 destination 1.1.1.1 PA-lab> show session id 468169 Session 468169 c2s flow: source: 192.168.168.168 [L3-Trusted] dst: 1.1.1.1 proto: 6 sport: 63535 dport: 11067 state: DISCARD type: FLOW src user: fmi\khertzel dst user: unknown s2c flow: source: 1.1.1.1 [L3-Untrusted] dst: 192.168.168.168 proto: 6 sport: 11067 dport: 21643 state: DISCARD type: FLOW src user: unknown dst user: lab\test start time : Thu Feb 28 10:43:59 2019 timeout : 90 sec time to live : 83 sec total byte count(c2s) : 1156 total byte count(s2c) : 126 layer7 packet count(c2s) : 9 layer7 packet count(s2c) : 2 vsys : vsys1 application : mssql-db-base >>>>>>>>>>>>>Note the application that is identified in this session rule : interzone-default service timeout override(index) : False session to be logged at end : False session in session ager : True session updated by HA peer : False address/port translation : source nat-rule : Outbound-PAT(vsys1) layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) tracker stage firewall : appid policy lookup deny >>>>>>>>>>>>Note that the appid policy lookup is being denied end-reason : policy-deny
- Note in the above output, the appid policy lookup is deing denied
- This indicates that there is an application shift because if which the session is being discarded
- To find out what is the application shift, create an ANY ANY allow security policy on the firewall for the Source and destination IP address in question
- Test the connection and check the session details for the same source and destination
Example:
PA-Lab> show session all filter source 192.168.168.168 destination 1.1.1.1 PA-Lab > show session id 717928 Session 717928 c2s flow: source: 192.168.168.168 [L3-Trusted] dst: 1.1.1.1 proto: 6 sport: 63759 dport: 11067 state: INIT type: FLOW src user: fmi\khertzel dst user: unknown s2c flow: source: 1.1.1.1 [L3-Untrusted] dst: 192.168.168.168 proto: 6 sport: 11067 dport: 7474 state: INIT type: FLOW src user: unknown dst user: lab\test start time : Thu Feb 28 11:01:15 2019 timeout : 15 sec total byte count(c2s) : 1452 total byte count(s2c) : 4750 layer7 packet count(c2s) : 10 layer7 packet count(s2c) : 9 vsys : vsys1 application : mssql-db-encrypted >>>>>Note the actual application that the should be allowed rule : MSSQL Test service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False address/port translation : source nat-rule : Outbound-PAT(vsys1) layer7 processing : completed URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) tracker stage firewall : TCP FIN tracker stage l7proc : ctd decoder bypass end-reason : tcp-fin
- In the above session output, please note that Application is identified as " mssql-db-encrypted" where as in the previous session details it was " mssql-db-base"
- Create a security policy to allow the correct application which should resolve the connection issue
Additional Information
#session_discard
#Session set to discard by security policy check