Threat traffic not detected by the firewall

Threat traffic not detected by the firewall

5155
Created On 09/13/24 08:58 AM - Last Modified 10/16/25 06:27 AM


Symptom


When test threat traffic is being run through the firewall, it is not detecting it as threat.

Examples of how to generate test threat traffic:
How to Check if the Vulnerability Module is Working Properly
How to Test Threat Prevention Using a Web Browser

To tell whether the firewall is detecting the traffic as threat, we can look at the output of the session details.

> show session id 21834
Session           21834
        c2s flow:
                source:      172.16.212.10 [L3-Trust]
                dst:         18.206.19.26
                proto:       6
                sport:       64925           dport:      80
                state:       DISCARD         type:       FLOW
                src user:    unknown
                dst user:    unknown
        s2c flow:
                source:      18.206.19.26 [L3-Untrust]
                dst:         10.194.45.212
                proto:       6
                sport:       80              dport:      1493
                state:       DISCARD         type:       FLOW
                src user:    unknown
                dst user:    unknown
        start time                           : Fri Sep 13 16:33:43 2024
        timeout                              : 90 sec
        time to live                         : 81 sec
        total byte count(c2s)                : 3819
        total byte count(s2c)                : 66
        layer7 packet count(c2s)             : 10
        layer7 packet count(s2c)             : 1
        vsys                                 : vsys1
        application                          : web-browsing
        rule                                 : Trust-to-Untrust
        service timeout override(index)      : False
        session to be logged at end          : True
        session in session ager              : True
        session updated by HA peer           : False
        address/port translation             : source + destination
        nat-rule                             : Trust-NAT(vsys1)
        layer7 processing                    : completed
        URL filtering enabled                : False
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        session terminate tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/6
        egress interface                     : ethernet1/3
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : mitigation tdb reset
        end-reason                           : threat

The "end-reason" should be stated as "threat".
 

Environment


The missing profile or application override is a general configuration / feature that applies to any PAN-OS version and any firewall model. 

Cause


One reason the traffic is not being detected as threat is that the security policy being hit by the traffic does not have Profiles configured.

secpol1.png
secpol2.png

Another reason may be that an Application Override policy was configured that is matching the threat traffic.

If an Application Override policy has been configured and the custom application scanning options is unchecked, the threat engine will stop inspecting the traffic as soon as the custom application is identified.

secpol3.png

 

Resolution


  • Have security profiles configured in the security policy
  • Ensure that threat traffic is not matching an Application Override policy

Additional Information


How to Check if the Vulnerability Module is Working Properly
How to Test Threat Prevention Using a Web Browser
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TpA3CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language