How To Check if a Session is Established and the Parent Session Information

How To Check if a Session is Established and the Parent Session Information

58196
Created On 04/26/19 09:18 AM - Last Modified 04/26/19 16:39 PM


Objective


How to check if a session is established via prediction and how to check the parent session information.

Environment


PAN-OS

Procedure


To get the list of predict sessions, you can run:
show session all filter type predict

Example:
admin@Firewall> show session all filter type predict

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
504          ftp-data       ACTIVE  PRED       10.59.59.132[0]/L3-DMZ/6  (10.59.59.132[0])
vsys1                                          172.16.59.100[16889]/L3-Inside  (172.16.59.100[16889])

Session details would reveal the parent session:
admin@Firewall> show session id 504

Session             504

        c2s flow:
                source:      10.59.59.132 [L3-DMZ]
                dst:         172.16.59.100
                proto:       6
                sport:       0               dport:      16889
                state:       ACTIVE          type:       PRED
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      172.16.59.100 [L3-Inside]
                dst:         10.59.59.132
                proto:       6
                sport:       16889           dport:      0
                state:       OPENING         type:       PRED
                src user:    unknown
                dst user:    unknown

        start time                           : Fri Apr 26 01:40:38 2019
        timeout                              : 60 sec
        time to live                         : 27 sec 
        total byte count(c2s)                : 0
        total byte count(s2c)                : 0
        layer7 packet count(c2s)             : 0
        layer7 packet count(s2c)             : 0
        vsys                                 : vsys1
        application                          : ftp-data  
        rule                                 : 
        service timeout override(index)      : False
        session to be logged at end          : False
        session in session ager              : True
        session updated by HA peer           : False
        parent session                       : 409
        prediction triggered by              : client
        prediction matched once              : True
        end-reason                           : unknown

The row "parent session" indicates the parent session. Now you can get the details of the parent session using: 
show session id <id>
admin@Firewall> show session id 409

Session             409

        c2s flow:
                source:      172.16.59.100 [L3-Inside]
                dst:         10.59.59.132
                proto:       6
                sport:       16816           dport:      21
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      10.59.59.132 [L3-DMZ]
                dst:         172.16.59.100
                proto:       6
                sport:       21              dport:      16816
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Fri Apr 26 01:32:30 2019
        timeout                              : 1800 sec
        time to live                         : 1762 sec 
        total byte count(c2s)                : 921
        total byte count(s2c)                : 783
        layer7 packet count(c2s)             : 14
        layer7 packet count(s2c)             : 9
        vsys                                 : vsys1
        application                          : ftp  
        rule                                 : Inside-DMZ
        service timeout override(index)      : False
        session to be logged at end          : True
        session in session ager              : True
        session updated by HA peer           : False
        layer7 processing                    : enabled
        ctd version                          : 2
        URL filtering enabled                : False
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/5
        egress interface                     : ethernet1/4
        session QoS rule                     : N/A (class 4)
        end-reason                           : unknown

When the data packet arrives for the predict session, it is converted to a normal flow session.
admin@Firewall> show session id 506 

Session             506

        c2s flow:
                source:      10.59.59.132 [L3-DMZ]
                dst:         172.16.59.100
                proto:       6
                sport:       20              dport:      16889
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown
                offload:     Yes

        s2c flow:
                source:      172.16.59.100 [L3-Inside]
                dst:         10.59.59.132
                proto:       6
                sport:       16889           dport:      20
                state:       ACTIVE          type:       FLOW
                src user:    unknown
                dst user:    unknown
                offload:     Yes

        start time                           : Fri Apr 26 01:41:54 2019
        timeout                              : 15 sec
        time to live                         : 1 sec 
        total byte count(c2s)                : 22061222
        total byte count(s2c)                : 513606
        layer7 packet count(c2s)             : 20465
        layer7 packet count(s2c)             : 8560
        vsys                                 : vsys1
        application                          : ftp-data  
        rule                                 : Inside-DMZ
        service timeout override(index)      : False
        session to be logged at end          : True
        session in session ager              : True
        session updated by HA peer           : False
        layer7 processing                    : completed
        URL filtering enabled                : False
        session via prediction               : True
        use parent's policy                  : True
        parent session                       : 409
        refresh parent session               : True
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/4
        egress interface                     : ethernet1/5
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : TCP FIN
        tracker stage l7proc                 : ctd app has no decoder
        end-reason                           : tcp-fin

To know if a "FLOW" session is installed via prediction, check if there is a row named "session via prediction." If it is set to "True" then this means the session is installed via PRED. The parent session info is only visible as long as the session is in an ACTIVE state.

If the session moves to INIT(closed) the parent session info is lost.
admin@Firewall> show session id 506

Session             506

        c2s flow:
                source:      10.59.59.132 [L3-DMZ]
                dst:         172.16.59.100
                proto:       6
                sport:       20              dport:      16889
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      172.16.59.100 [L3-Inside]
                dst:         10.59.59.132
                proto:       6
                sport:       16889           dport:      20
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Fri Apr 26 01:41:54 2019
        timeout                              : 15 sec
        total byte count(c2s)                : 22077452
        total byte count(s2c)                : 513786
        layer7 packet count(c2s)             : 20481
        layer7 packet count(s2c)             : 8563
        vsys                                 : vsys1
        application                          : ftp-data  
        rule                                 : Inside-DMZ
        service timeout override(index)      : False
        session to be logged at end          : True
        session in session ager              : False
        session updated by HA peer           : False
        layer7 processing                    : completed
        URL filtering enabled                : False
        session via prediction               : True
        use parent's policy                  : True
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/4
        egress interface                     : ethernet1/5
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : TCP FIN
        tracker stage l7proc                 : ctd app has no decoder
        end-reason                           : tcp-fin

In the above output, you can see that the "parent session" row is not available, but we could still see if the session was indeed via prediction.
 


Additional Information


ALG capable sessions are not offloaded. To check if an application can create a predict session, create the application definition from CLI. The web interface does not display this information.
admin@Firewall# show predefined application ftp
ftp {
  category general-internet;
  subcategory file-sharing;
  technology client-server;
  alg yes; <<<<
  appident yes;

What is a predict session? For more information about predict sessions, please refer to the following articles: 
Palo Alto Networks Firewall Session Overview
Session States and Types
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLnl&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language