主动-主动设置中的防火墙不会与对等方同步会话的字节或数据包计数。
6461
Created On 06/27/23 12:41 PM - Last Modified 07/07/23 02:22 AM
Symptom
客户设置了主动-主动,并且在主动-主防火墙上检查会话 ID 详细信息时。 他们在 S2C 和 C2S 中都看到了大量的字节或数据包计数。
FW01(active-primary)> show session id 1584692
Session 1584692
c2s flow:
source: 10.41.231.61 [ABC]
dst: 10.27.17.1
proto: 6
sport: 51253 dport: 3365
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
qos node: ethernet1/10, qos member N/A Qid 0
offload: Yes
s2c flow:
source: 10.27.17.1 [CDE]
dst: 10.41.231.61
proto: 6
sport: 3365 dport: 51253
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
qos node: ethernet1/9, qos member N/A Qid 0
offload: Yes
Slot : 1
DP : 0
index(local): : 1584692
start time : Tue Mar 7 08:58:49 2023
timeout : 3600 sec
time to live : 3589 sec
total byte count(c2s) : 114777 >>>>>>>>>>>>>>>>>>
total byte count(s2c) : 287531 >>>>>>>>>>>>>>>>>>>
layer7 packet count(c2s) : 293
layer7 packet count(s2c) : 604
vsys : vsys1
application : outlook-web-online
rule : Agence_ACL
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
session owner is HA A/A local device : True
session setup locally HA A/A : True
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
session terminate tunnel : False
captive portal session : False
ingress interface : ethernet1/9
egress interface : ethernet1/10
session QoS rule : N/A (class 4)
tracker stage l7proc : ctd proc changed
end-reason : unknown
但是,当他们根据源、目标(IP 和端口)过滤同一会话时,他们看不到活动辅助防火墙上填充的这些值。
FW02(active-secondary)> show session id 1332211
Session 1332211
c2s flow:
source: 10.41.231.61 [ABC]
dst: 10.27.17.1
proto: 6
sport: 51253 dport: 3365
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
offload: Yes
s2c flow:
source: 10.27.17.1 [CDE]
dst: 10.41.231.61
proto: 6
sport: 3365 dport: 51253
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
offload: Yes
Slot : 1
DP : 0
index(local): : 1332211
start time : Tue Mar 7 08:58:47 2023 >>>>>>>>>>>>>>>>
timeout : 3600 sec
time to live : 3569 sec
total byte count(c2s) : 0 >>>>>>>>>>>>>>>>>>>
total byte count(s2c) : 0 >>>>>>>>>>>>>>>>>>>
layer7 packet count(c2s) : 0 >>>>>>>>>>>>>>>>>>>
layer7 packet count(s2c) : 0 >>>>>>>>>>>>>>>>>>>
vsys : vsys1
application : outlook-web-online
session to be logged at end : True
session in session ager : True
session updated by HA peer : True
session owner is HA A/A local device : False
session setup locally HA A/A : False
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
session terminate tunnel : False
captive portal session : False
ingress interface : ethernet1/9
egress interface : ethernet1/10
session QoS rule : N/A (class 4)
end-reason : unknown
Environment
- 所有 PAN-OS 版本
Cause
这是我们不同步主动-主动设置中的字节或数据包计数的预期行为。
这些值在主动-被动设置中同步。
Resolution
这是主动-主动设置中的设计限制行为。
Additional Information
有时您会注意到 S2C 和 C2S 只有一个在两个防火墙上都具有非零值。 这些可能是由于客户环境中的不对称路由造成的。