Threat log's action column shows "reset-server" instead of "reset-both"

Threat log's action column shows "reset-server" instead of "reset-both"

57292
Created On 01/07/21 02:24 AM - Last Modified 04/01/24 07:37 AM


Question


  • The customer is using "reset-both" for the default action of the http decoder of the AntiVirus Profile.
  • When the firewall detects the malware sent in HTTP session by AntiVirus signature, the block notification page is NOT shown on the browser side, the TCP reset is sent only to the Web server side and Threat log's action column shows "reset-server" instead of "reset-both". Usually when the the firewall detects the malware sent in HTTP session by AntiVirus signature with the default action of the http decoder of the AntiVirus Profile "reset-both", the block notification page is sent to the browser from the firewall, it is shown on the browser, the HTTP session is reset on the Web server / browser side and Threat log's action column shows "reset-both".
  • Why does Threat log's action column shows "reset-server" instead of "reset-both" although the customer is using "reset-both" for the default action of the http decoder of the AntiVirus Profile ?

Environment


  • The malware is sent from HTTP session.
  • PANOS 8.1
  • PANOS 9.0
  • PANOS 9.1
  • PANOS 10.0
  • PANOS 10.1
  • PANOS 10.2
  • PANOS 11.0
  • PANOS 11.1
  • The customer is using "reset-both" for the default action of the http decoder of the AntiVirus Profile.

Answer


  • In order to insert the block notification page into the HTTP session where the malware is delivered, the firewall needs to find the malware in the first packet of the HTTP response. So if the firewall detects the threat not in the first packet of the response, in this case, the HTTP headers is already transmitted to the browser from the firewall and  the firewall can't send the block notification page, the only action being taken is sending reset to both. This result is as expected. If the firewall detects the malware early in the first packet of the response, so the firewall is able to send the notification page to the browser. 
  • Please note that this result is specific when the malware is not detected in the first packet of the HTTP response.
  • If you need detailed description for "Actions in Security Profiles", you can find it from the URL https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objects-security-profiles/actions-in-security-profiles.html
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCCKCA4&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language