Hit count is increasing but there are no traffic logs generated at session start
1005
Created On 07/31/25 19:40 PM - Last Modified 10/31/25 08:54 AM
Symptom
- Firewall rule shows a recent 'last hit' date.
- "App Seen" is not populated after the "App Seen" has been reset.
- No corresponding traffic logs are found on the firewall for the rule when reviewing logs directly on the firewall.
- Enabling logging on rule at "session start" or "session end" does not produce any traffic logs.
- No sessions showing up in GUI session browser when searching for rule.
Environment
- Next Gen Firewalls (NGFW)
- Panorama
- Traffic Logs
Cause
- Definition
- Explicit Rule
- Rule that have ports listed explicitly through services policy objects
- Implicit Rule
- Rules that have ports assigned through an application(s) and using application-default to define ports.
- Explicit Rule
- Firewall Functionality
- When a session is being setup, the 6-Tuple is matched before the application is identified.
- Traffic is completed on first rule matched in a two pass process.
- The first pass will match on explicit rule if one is available.
- If there is no match on the traffic a second pass will be completed to match on an implicit rule.
- Traffic matched on a implicit/explicit rule match does not produce traffic logs.
- Traffic logs are generated when a policy is assigned to the session during the slow path and First security policy lookup.
Resolution
Confirming that rule is being matched on implicit/explicit rule
-
- When the hit count continue to increase but the "Apps Seen" does not populate with new applications the traffic should be considered implicit/explicit traffic with the application being identified and the traffic is being matched on a different rule.