What is "Session End Reason: threat"?

What is "Session End Reason: threat"?

33584
Created On 01/19/21 21:25 PM - Last Modified 06/24/22 19:14 PM


Symptom
The traffic logs indicate that traffic was allowed, but the session-end-reason column indicates 'threat'.

Environment
  • Palo Alto Networks Firewall
  • PAN-OS >= 8.0


Cause
Security Policies have Actions and Security Profiles.
When the Security Policy Action is 'Deny', then it is pointless to define Security Profiles, because the traffic will never be inspected, since it is being denied by policy.

Therefore, when Security Policy Action is 'Allow', the traffic will be inspected by the Security Profiles configured. If one of the Threat Prevention features detects a threat and enacts a block, this will result in a traffic log entry with an action of allow (because it was allowed by policy) and session-end-reason: threat (because a Threat Prevention feature blocked the traffic after it was initially allowed and a threat was identified). Additionally, the timestamp in the the traffic log will be later than that of the threat log, because it is logging at session end, and the session ends after the block action.

 


Resolution
To identify which Threat Prevention feature blocked the traffic.
  1. Open the Detailed Log View by clicking on the Traffic Log's magnifying glass icon, which should be at the very left of the Traffic Log entry.
Traffic log entry with action allow and session-end-reason threat.
  1. Review the correlated log entries in the lower panel to identify which threat prevention feature enacted a block.
Detailed Log View selecting the Threat Log entry that enacted the reset-both action.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQlCAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language