Understanding Session End Reason "decoder" in Traffic Logs

Administrators may notice multiple session end logs with the reason "decoder" when monitoring traffic logs in PAN-OS. This occurs frequently in environments where URL categorization is applied dynamically.

• PAN-OS devices running URL filtering and application identification.

• Networks utilizing protocols such as HTTP-Proxy, SIP, and FTP that require protocol decoding.

• Deployments where applications tunnel inside other protocols (e.g., Yahoo! Messenger, Zscaler proxy products over HTTP).

PAN-OS uses protocol decoders to:

• Detect new connections within a protocol and terminate previous ones.

• Apply context-based signatures to detect applications tunneling within another protocol.

• Validate traffic compliance with protocol specifications.

• Support NAT traversal and dynamic pinholes for applications like SIP and FTP.

In some cases, the URL category of web traffic is initially logged as PAN_URL_CATEGORY_ANY (0). When the actual category is later determined and updated, PAN-OS logs a session end with reason "decoder."

This behavior is expected and does not indicate a problem. PAN-OS dynamically updates session attributes as more information becomes available, ensuring accurate application and URL categorization.

For further details on traffic log field descriptions, refer to: Syslog Field Descriptions - Traffic Log Fields.