https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574767#M2533 <P>Hello,</P> <P>Glad you found what you needed.</P> <P>&nbsp;</P> <P>Cheers!</P> Mon, 29 Jan 2024 17:41:20 GMT OtakarKlier 2024-01-29T17:41:20Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/573581#M2474 <P>Hi,&nbsp;<BR />I'm reviewing a logs regarding a low reputation IP which in the first log it's action is dropped, and 5 minutes later 3 logs with action allowed. Why does it dropped then allowed it?<BR /><BR />Logs</P> <P>category: spyware</P> <P>action: dropped</P> <P>Threat Name: CobaltStrike.Gen Command and Control Traffic<BR />Threat ID: 18005</P> Fri, 19 Jan 2024 03:45:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/573581#M2474 ridzuan.a 2024-01-19T03:45:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/573583#M2475 <P>I'm new to the forum, thanks in advance</P> <P>&nbsp;</P> Fri, 19 Jan 2024 03:46:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/573583#M2475 ridzuan.a 2024-01-19T03:46:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/573990#M2499 <P>Hello,</P> <P>Not sure if its the case here however logs are typically written at 'session end'. We would need to see redacted logs to try and figure this out. Just black out the source and destination IP's along with anything that could identify your company etc.</P> <P>Regards,</P> Mon, 22 Jan 2024 21:19:20 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/573990#M2499 OtakarKlier 2024-01-22T21:19:20Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574052#M2501 <P>Hi, please find the ss below<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FW logs blocked then allow.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56778i13E120F36D46D49B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="FW logs blocked then allow.jpg" alt="FW logs blocked then allow.jpg" /></span></P> Tue, 23 Jan 2024 08:35:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574052#M2501 ridzuan.a 2024-01-23T08:35:50Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574099#M2507 <P>Hello,</P> <P>So the 'later' traffic is UDP (DNS-Base) so it has to 'time out' since there is no fin packets. This is the most likely reason for the later timestamp in the logs. The policy is most likely set to log at session end, which is best practice.</P> <P>&nbsp;</P> <P>Hope this helps.</P> Tue, 23 Jan 2024 15:43:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574099#M2507 OtakarKlier 2024-01-23T15:43:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574236#M2512 <P>does UDP has fin packets?</P> Wed, 24 Jan 2024 06:42:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574236#M2512 ridzuan.a 2024-01-24T06:42:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574237#M2513 <P>i did a bit of research from your explanation, using the first link below to understand the session end. then using data from Session End reason: threat, i found out the answer in the second link. thanks for your help<BR /><BR /><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields</A><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQlCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQlCAO</A></P> Wed, 24 Jan 2024 06:45:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574237#M2513 ridzuan.a 2024-01-24T06:45:28Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574767#M2533 <P>Hello,</P> <P>Glad you found what you needed.</P> <P>&nbsp;</P> <P>Cheers!</P> Mon, 29 Jan 2024 17:41:20 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ip-blocked-then-allowed/m-p/574767#M2533 OtakarKlier 2024-01-29T17:41:20Z