What is "Session End Reason: threat"?

120620

Created On 01/19/21 21:25 PM - Last Modified 11/15/23 02:17 AM

Anti-spyware

Antivirus

Data Filtering

DoS Protection

File Blocking

Threat Log

Traffic Log

URL Filtering Profile

Vulnerability Protection

Zone Protection

Threat Prevention

URL Filtering

DNS Security

8.1

8.0

9.0

9.1

10.0

10.2

10.1

11.1

11.0

PAN-OS

Symptom

The traffic logs indicate that traffic was allowed, but the session-end-reason column indicates 'threat'.

Environment

Palo Alto Networks Firewall
PAN-OS >= 8.0

Cause

Security Policies have Actions and Security Profiles.
When the Security Policy Action is 'Deny', then it is pointless to define Security Profiles, because the traffic will never be inspected, since it is being denied by policy.

Therefore, when Security Policy Action is 'Allow', the traffic will be inspected by the Security Profiles configured. If a session is blocked by one of the Security Profiles, this will result in a traffic log entry with an action of allow (because it was allowed by policy) and session-end-reason: threat (because a Threat Prevention feature blocked the traffic after it was initially allowed and a threat was identified).

Additionally, the timestamp in the the traffic log will be later than that of the threat log, because it is logging at session end, and the session ends after the block action.

Resolution

To identify which Threat Prevention feature blocked the traffic.

Open the Detailed Log View by clicking on the Traffic Log's magnifying glass icon, which should be at the very left of the Traffic Log entry.

Traffic log entry with action allow and session-end-reason threat.

Review the correlated log entries in the lower panel to identify which threat prevention feature enacted a block.

Detailed Log View selecting the Threat Log entry that enacted the reset-both action.

What is "Session End Reason: threat"?

Symptom

Environment

Cause

Resolution

Other users also viewed: