Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
What is "Session End Reason: threat"?

What is "Session End Reason: threat"?

151929
Created On 01/19/21 21:25 PM - Last Modified 11/15/23 02:17 AM


Symptom


The traffic logs indicate that traffic was allowed, but the session-end-reason column indicates 'threat'.

Environment


  • Palo Alto Networks Firewall
  • PAN-OS >= 8.0


Cause


Security Policies have Actions and Security Profiles.
When the Security Policy Action is 'Deny', then it is pointless to define Security Profiles, because the traffic will never be inspected, since it is being denied by policy.

Therefore, when Security Policy Action is 'Allow', the traffic will be inspected by the Security Profiles configured. If a session is blocked by one of the Security Profiles, this will result in a traffic log entry with an action of allow (because it was allowed by policy) and session-end-reason: threat (because a Threat Prevention feature blocked the traffic after it was initially allowed and a threat was identified).

Additionally, the timestamp in the the traffic log will be later than that of the threat log, because it is logging at session end, and the session ends after the block action.

 


Resolution


To identify which Threat Prevention feature blocked the traffic.
  1. Open the Detailed Log View by clicking on the Traffic Log's magnifying glass icon, which should be at the very left of the Traffic Log entry.
Traffic log entry with action allow and session-end-reason threat.
  1. Review the correlated log entries in the lower panel to identify which threat prevention feature enacted a block.
Detailed Log View selecting the Threat Log entry that enacted the reset-both action.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQlCAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language