通过安全检查设置为丢弃的会话 policy
34369
Created On 02/28/19 19:54 PM - Last Modified 03/07/25 14:23 PM
Symptom
- 流量下降 firewall ,当您运行特定来源和目的地的全球计数器时,您看不到任何下降或警告计数器
- 当您为相同的源和目的地进行数据包捕获时,您确实会看到掉落的封盖
NOTE:
关于如何运行特定来源和目的地的全球计数器,请参阅以下文档
Environment
- PA Firewall Hardware / VM
- 软件版本: 7.x.x 或 8.x.x
Cause
申请转移,由于该应用程序 policy 查找被拒绝
Resolution
- 在全球柜台上,您将能够看到计数器"session_discard - 通过安全检查设置为丢弃的会话 policy "
示例:
PA-Lab> show counter global filter packet-filter yes delta yes Elapsed time since last sampling: 27.462 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_recv 2 0 info packet pktproc Packets received pkt_sent 1 0 info packet pktproc Packets transmitted session_allocated 1 0 info session resource Sessions allocated session_installed 1 0 info session resource Sessions installed session_discard 1 0 info session resource Session set to discard by security policy >>>>>>>>>>>Session discarded check flow_host_pkt_xmt 26 0 info flow mgmt Packets transmitted to control plane flow_host_vardata_rate_limit_ok 26 0 info flow mgmt Host vardata not sent: rate limit ok
- 有关连接问题的源和目的地,请检查任何会话,并了解该会话的详细信息
示例:
PA-Lab> show session all filter source 192.168.168.168 destination 1.1.1.1 PA-lab> show session id 468169 Session 468169 c2s flow: source: 192.168.168.168 [L3-Trusted] dst: 1.1.1.1 proto: 6 sport: 63535 dport: 11067 state: DISCARD type: FLOW src user: fmi\khertzel dst user: unknown s2c flow: source: 1.1.1.1 [L3-Untrusted] dst: 192.168.168.168 proto: 6 sport: 11067 dport: 21643 state: DISCARD type: FLOW src user: unknown dst user: lab\test start time : Thu Feb 28 10:43:59 2019 timeout : 90 sec time to live : 83 sec total byte count(c2s) : 1156 total byte count(s2c) : 126 layer7 packet count(c2s) : 9 layer7 packet count(s2c) : 2 vsys : vsys1 application : mssql-db-base >>>>>>>>>>>>>Note the application that is identified in this session rule : interzone-default service timeout override(index) : False session to be logged at end : False session in session ager : True session updated by HA peer : False address/port translation : source nat-rule : Outbound-PAT(vsys1) layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) tracker stage firewall : appid policy lookup deny >>>>>>>>>>>>Note that the appid policy lookup is being denied end-reason : policy-deny
- 请注意,在上述输出中,应用程序 policy 查找被拒绝
- 这表明存在应用转移,因为如果会话被丢弃
- 要了解什么是应用转移,请 ANY ANY policy 在 firewall 有关源和目的地 IP 地址上创建允许安全
- 测试连接并检查会话详细信息以了解相同的来源和目的地
示例:
PA-Lab> show session all filter source 192.168.168.168 destination 1.1.1.1 PA-Lab > show session id 717928 Session 717928 c2s flow: source: 192.168.168.168 [L3-Trusted] dst: 1.1.1.1 proto: 6 sport: 63759 dport: 11067 state: INIT type: FLOW src user: fmi\khertzel dst user: unknown s2c flow: source: 1.1.1.1 [L3-Untrusted] dst: 192.168.168.168 proto: 6 sport: 11067 dport: 7474 state: INIT type: FLOW src user: unknown dst user: lab\test start time : Thu Feb 28 11:01:15 2019 timeout : 15 sec total byte count(c2s) : 1452 total byte count(s2c) : 4750 layer7 packet count(c2s) : 10 layer7 packet count(s2c) : 9 vsys : vsys1 application : mssql-db-encrypted >>>>>Note the actual application that the should be allowed rule : MSSQL Test service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False address/port translation : source nat-rule : Outbound-PAT(vsys1) layer7 processing : completed URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) tracker stage firewall : TCP FIN tracker stage l7proc : ctd decoder bypass end-reason : tcp-fin
- 在上述会话输出中,请注意,应用程序被确定为"mssql-db加密",与上一会话详细信息一样,它是"mssql-db-base"
- 创建一个安全 policy 性,以允许正确的应用程序,应该解决连接问题
Additional Information
#session_discard#Session设置为通过安全 policy 检查丢弃