How the session is logged in the traffic logs in PA firewalls if the application appears as "incomplete"?

How the session is logged in the traffic logs in PA firewalls if the application appears as "incomplete"?

6354
Created On 03/22/24 15:01 PM - Last Modified 07/09/25 03:12 AM


Question


How the session is logged in the traffic logs in PA firewalls if the application appears as "incomplete"?

Environment


  • Any Palo Alto Networks firewall
  • Any PAN-OS

Answer


  • Here is the explanation of how a session is logged in the traffic logs if the application appears as "incomplete"
  1. The firewall will check the security policies from top to bottom using the application "ANY" to see if there's any rule allowing packets for given addresses, zones, and ports.
    1. If the policy allows the traffic, it will create the session and go to the fast path.
    2. If the policy denies the traffic, it will be discarded.

Screenshot 2024-03-27 at 13.47.45.png

  1. If the application is not identified(Due to an incomplete 3-way handshake) after the "Pattern-based application identification" in the "Application identification" section, the flow will come back to the "Content inspection applicable?" in the "fast path" section.
  2. It will mark the application as "incomplete" and log the session with the policy that matched in the "Slow path".

Screenshot 2024-03-27 at 13.53.49.png
 

Additional Information


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wo5HCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail