Hit count is seen on a security rule but there are no traffic logs generated at session start

• Firewall rule shows a recent 'last hit' date (GUI: Policies > Security > Rule usage column).
• "App Seen" on the hit rule is not populated
• No corresponding traffic log is found on the firewall for the rule when reviewing logs directly on the firewall.
  • Enabling logging on rule at "session start" or "session end" does not produce any traffic logs.
• No sessions are showing up in GUI session browser when searching for the relevant security rule.

• Next Gen Firewalls (NGFW)
• Security Policy
• Rule Usage
• Traffic Log

• Definition
  • Explicit Rule
    • Rule that have ports listed explicitly through services policy objects
  • Implicit Rule
    
    • Rules that have ports assigned through an application(s) and using application-default to define ports.

• Firewall Functionality
  • When a session is being setup, the 6-Tuple is matched before the application is identified.
  • Traffic is completed on first rule matched in a two pass process.
    • The first pass will match on explicit rule if one is available.
    • If there is no match on the traffic, a second pass will be completed to match on an implicit rule.
  • Traffic matched on an implicit/explicit rule match does not produce traffic logs.
    • Traffic logs are generated when a policy is assigned to the session during the slow path and the first security policy lookup.

Confirming that the rule is being matched on the implicit/explicit rule

• When the hit count continues to increase but the "Apps Seen" does not populate with new applications, the traffic should be considered implicit/explicit traffic with the application being identified and the traffic is later being matched on a different rule.

• Clear/Reset "Apps Seen" data.