topic Traffic Log - What's the difference between the "Type" field and the "action" field in Next-Generation Firewall Discussions

Traffic Log - What's the difference between the "Type" field and the "action" field

rmeddane — Fri, 19 Jan 2024 21:30:53 GMT

While investigating and navigating in the Traffic Log, I noticed for some traffic the Type is Drop and the Action is Deny, While in some traffic, the Type is Deny and the Action is Reset Both.

The Security Policy Rule is configured with the Deny Action without Security Profiles.

How to explain this behavior in the Traffic Logs?

Re: Traffic Log - What's the difference between the "Type" field and the "action" field

msyeedrafiqi — Fri, 19 Jan 2024 21:38:25 GMT

Type (type)	Specifies the type of log; value is TRAFFIC.
Threat/Content Type (subtype)	Subtype of traffic log; values are start, end, drop, and deny Start—session started End—session ended Drop—session dropped before the application is identified and there is no rule that allows the session. Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.

Action (action)	Action taken for the session; possible values are: allow—session was allowed by policy deny—session was denied by policy drop—session was dropped silently drop ICMP—session was silently dropped with an ICMP unreachable message to the host or application reset both—session was terminated and a TCP reset is sent to both the sides of the connection reset client—session was terminated and a TCP reset is sent to the client reset server—session was terminated and a TCP reset is sent to the server

Re: Traffic Log - What's the difference between the "Type" field and the "action" field

rmeddane — Sat, 20 Jan 2024 06:41:20 GMT

I read it in the admin guide, but according to the log output: Why some traffic the Type is Drop and the Action is Deny, While in some traffic, the Type is Deny and the Action is Reset Both. While the security policy rule is configured with the action Deny.?

Re: Traffic Log - What's the difference between the "Type" field and the "action" field

msyeedrafiqi — Sat, 20 Jan 2024 15:29:12 GMT

This is also mentioned in the admin guide:

Drop—session dropped before the application is identified and there is no rule that allows the session.

Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.

About the reset, The palo alto firewall only sends tcp reset if the traffic is identified as threat.

About the reset both: I think it will happen during SSL forward proxy were the firewall intercept the tcp handshake and so it will sent tcp reset to the client and the server.