What is "Session End Reason: threat"?
151929
Created On 01/19/21 21:25 PM - Last Modified 11/15/23 02:17 AM
Symptom
The traffic logs indicate that traffic was allowed, but the session-end-reason column indicates 'threat'.
Environment
- Palo Alto Networks Firewall
- PAN-OS >= 8.0
Cause
Security Policies have Actions and Security Profiles.
When the Security Policy Action is 'Deny', then it is pointless to define Security Profiles, because the traffic will never be inspected, since it is being denied by policy.
Therefore, when Security Policy Action is 'Allow', the traffic will be inspected by the Security Profiles configured. If a session is blocked by one of the Security Profiles, this will result in a traffic log entry with an action of allow (because it was allowed by policy) and session-end-reason: threat (because a Threat Prevention feature blocked the traffic after it was initially allowed and a threat was identified).
Additionally, the timestamp in the the traffic log will be later than that of the threat log, because it is logging at session end, and the session ends after the block action.
Resolution
To identify which Threat Prevention feature blocked the traffic.
- Open the Detailed Log View by clicking on the Traffic Log's magnifying glass icon, which should be at the very left of the Traffic Log entry.
- Review the correlated log entries in the lower panel to identify which threat prevention feature enacted a block.