How To Check if a Session is Established and the Parent Session Information
51963
Created On 04/26/19 09:18 AM - Last Modified 04/26/19 16:39 PM
Objective
How to check if a session is established via prediction and how to check the parent session information.
Environment
PAN-OS
Procedure
To get the list of predict sessions, you can run:
show session all filter type predict
admin@Firewall> show session all filter type predict -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 504 ftp-data ACTIVE PRED 10.59.59.132[0]/L3-DMZ/6 (10.59.59.132[0]) vsys1 172.16.59.100[16889]/L3-Inside (172.16.59.100[16889])
Session details would reveal the parent session:
admin@Firewall> show session id 504
Session 504
c2s flow:
source: 10.59.59.132 [L3-DMZ]
dst: 172.16.59.100
proto: 6
sport: 0 dport: 16889
state: ACTIVE type: PRED
src user: unknown
dst user: unknown
s2c flow:
source: 172.16.59.100 [L3-Inside]
dst: 10.59.59.132
proto: 6
sport: 16889 dport: 0
state: OPENING type: PRED
src user: unknown
dst user: unknown
start time : Fri Apr 26 01:40:38 2019
timeout : 60 sec
time to live : 27 sec
total byte count(c2s) : 0
total byte count(s2c) : 0
layer7 packet count(c2s) : 0
layer7 packet count(s2c) : 0
vsys : vsys1
application : ftp-data
rule :
service timeout override(index) : False
session to be logged at end : False
session in session ager : True
session updated by HA peer : False
parent session : 409
prediction triggered by : client
prediction matched once : True
end-reason : unknown
The row "parent session" indicates the parent session. Now you can get the details of the parent session using:
show session id <id>
admin@Firewall> show session id 409
Session 409
c2s flow:
source: 172.16.59.100 [L3-Inside]
dst: 10.59.59.132
proto: 6
sport: 16816 dport: 21
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.59.59.132 [L3-DMZ]
dst: 172.16.59.100
proto: 6
sport: 21 dport: 16816
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Fri Apr 26 01:32:30 2019
timeout : 1800 sec
time to live : 1762 sec
total byte count(c2s) : 921
total byte count(s2c) : 783
layer7 packet count(c2s) : 14
layer7 packet count(s2c) : 9
vsys : vsys1
application : ftp
rule : Inside-DMZ
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : enabled
ctd version : 2
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/5
egress interface : ethernet1/4
session QoS rule : N/A (class 4)
end-reason : unknown
When the data packet arrives for the predict session, it is converted to a normal flow session.
admin@Firewall> show session id 506
Session 506
c2s flow:
source: 10.59.59.132 [L3-DMZ]
dst: 172.16.59.100
proto: 6
sport: 20 dport: 16889
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
offload: Yes
s2c flow:
source: 172.16.59.100 [L3-Inside]
dst: 10.59.59.132
proto: 6
sport: 16889 dport: 20
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
offload: Yes
start time : Fri Apr 26 01:41:54 2019
timeout : 15 sec
time to live : 1 sec
total byte count(c2s) : 22061222
total byte count(s2c) : 513606
layer7 packet count(c2s) : 20465
layer7 packet count(s2c) : 8560
vsys : vsys1
application : ftp-data
rule : Inside-DMZ
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : completed
URL filtering enabled : False
session via prediction : True
use parent's policy : True
parent session : 409
refresh parent session : True
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/5
session QoS rule : N/A (class 4)
tracker stage firewall : TCP FIN
tracker stage l7proc : ctd app has no decoder
end-reason : tcp-fin
To know if a "FLOW" session is installed via prediction, check if there is a row named "session via prediction." If it is set to "True" then this means the session is installed via PRED. The parent session info is only visible as long as the session is in an ACTIVE state.
If the session moves to INIT(closed) the parent session info is lost.
admin@Firewall> show session id 506
Session 506
c2s flow:
source: 10.59.59.132 [L3-DMZ]
dst: 172.16.59.100
proto: 6
sport: 20 dport: 16889
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 172.16.59.100 [L3-Inside]
dst: 10.59.59.132
proto: 6
sport: 16889 dport: 20
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Fri Apr 26 01:41:54 2019
timeout : 15 sec
total byte count(c2s) : 22077452
total byte count(s2c) : 513786
layer7 packet count(c2s) : 20481
layer7 packet count(s2c) : 8563
vsys : vsys1
application : ftp-data
rule : Inside-DMZ
service timeout override(index) : False
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
layer7 processing : completed
URL filtering enabled : False
session via prediction : True
use parent's policy : True
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/5
session QoS rule : N/A (class 4)
tracker stage firewall : TCP FIN
tracker stage l7proc : ctd app has no decoder
end-reason : tcp-fin
In the above output, you can see that the "parent session" row is not available, but we could still see if the session was indeed via prediction.
Additional Information
ALG capable sessions are not offloaded. To check if an application can create a predict session, create the application definition from CLI. The web interface does not display this information.
admin@Firewall# show predefined application ftp
ftp {
category general-internet;
subcategory file-sharing;
technology client-server;
alg yes; <<<<
appident yes;
What is a predict session? For more information about predict sessions, please refer to the following articles:
Palo Alto Networks Firewall Session Overview
Session States and Types