Hit count is seen on a security rule but there are no traffic logs generated at session start

Hit count is seen on a security rule but there are no traffic logs generated at session start

2571
Created On 07/31/25 19:40 PM - Last Modified 03/04/26 21:37 PM


Symptom


  • Firewall rule shows a recent 'last hit' date (GUI: Policies > Security > Rule usage column).
  • "App Seen" on the hit rule is not populated
  • No corresponding traffic log is found on the firewall for the rule when reviewing logs directly on the firewall.
    • Enabling logging on rule at "session start" or "session end" does not produce any traffic logs.
  • No sessions are showing up in GUI session browser when searching for the relevant security rule.


Environment


  • Next Gen Firewalls (NGFW)
  • Security Policy
  • Rule Usage
  • Traffic Log


Cause


  

  • Firewall Functionality
    • When a session is being setup, the 6-Tuple is matched before the application is identified.
    • Traffic is completed on first rule matched in a two pass process.
      • The first pass will match on explicit rule if one is available.
      • If there is no match on the traffic, a second pass will be completed to match on an implicit rule.
    • Traffic matched on an implicit/explicit rule match does not produce traffic logs.
      • Traffic logs are generated when a policy is assigned to the session during the slow path and the first security policy lookup.


Resolution


Confirming that the rule is being matched on the implicit/explicit rule

  • When the hit count continues to increase but the "Apps Seen" does not populate with new applications, the traffic should be considered implicit/explicit traffic with the application being identified and the traffic is later being matched on a different rule.


Additional Information




Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fxygKAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail