Hit count is increasing but there are no traffic logs generated at session start

• Firewall rule shows a recent 'last hit' date.
• "App Seen" is not populated after the "App Seen" has been reset.
• No corresponding traffic logs are found on the firewall for the rule when reviewing logs directly on the firewall.
  • Enabling logging on rule at "session start" or "session end" does not produce any traffic logs.
• No sessions showing up in GUI session browser when searching for rule.

• Next Gen Firewalls (NGFW)
• Panorama
• Traffic Logs

• Definition
  • Explicit Rule
    • Rule that have ports listed explicitly through services policy objects
  • Implicit Rule
    
    • Rules that have ports assigned through an application(s) and using application-default to define ports.
• Firewall Functionality
  • When a session is being setup, the 6-Tuple is matched before the application is identified.
  • Traffic is completed on first rule matched in a two pass process.
    • The first pass will match on explicit rule if one is available.
    • If there is no match on the traffic a second pass will be completed to match on an implicit rule.
  • Traffic matched on a implicit/explicit rule match does not produce traffic logs.
    • Traffic logs are generated when a policy is assigned to the session during the slow path and First security policy lookup.

Confirming that rule is being matched on implicit/explicit rule

• 1. When the hit count continue to increase but the "Apps Seen" does not populate with new applications the traffic should be considered implicit/explicit traffic with the application being identified and the traffic is being matched on a different rule.

• Clear/Reset "Apps Seen" data.