https://live.paloaltonetworks.com/t5/next-generation-firewall/delayed-traffic-logging/m-p/1002315#M5357 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/283870">@itassetbenilde</a>&nbsp;,</P> <P>&nbsp;</P> <P>Please verify the traffic log setting configuration, as logging is depends on security policy log setting configuration. Please refer the below kb for more details.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC</A></P> Fri, 10 Jan 2025 04:13:11 GMT mshekh 2025-01-10T04:13:11Z https://live.paloaltonetworks.com/t5/next-generation-firewall/delayed-traffic-logging/m-p/1002255#M5356 <P>Hi All,</P> <P>&nbsp;</P> <P>Some weird stuff going on on our unit: what are the chances that the firewall logged traffic that it received hours ago?</P> <P>&nbsp;</P> <P>In our case, the firewall logged RDP connections that occurred in the early morning. However, the target servers didn't log any login attempts at all. The alleged source IP of the connections was down during that period(although we are not ruling out that some other device "borrowed" the source IP).</P> <P>&nbsp;</P> <P>What i also found odd is that we would normally see RDP TCP connections...the log entries in question are RDP UDP, and had "aged-out" as Session End Reason.</P> <P>&nbsp;</P> <P>Is it possible that somehow, those connections were initiated hours earlier, then somehow our firewall logged it as having occured in the early morning?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 10 Jan 2025 02:15:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/delayed-traffic-logging/m-p/1002255#M5356 itassetbenilde 2025-01-10T02:15:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/delayed-traffic-logging/m-p/1002315#M5357 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/283870">@itassetbenilde</a>&nbsp;,</P> <P>&nbsp;</P> <P>Please verify the traffic log setting configuration, as logging is depends on security policy log setting configuration. Please refer the below kb for more details.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC</A></P> Fri, 10 Jan 2025 04:13:11 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/delayed-traffic-logging/m-p/1002315#M5357 mshekh 2025-01-10T04:13:11Z https://live.paloaltonetworks.com/t5/next-generation-firewall/delayed-traffic-logging/m-p/1002684#M5363 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/283870">@itassetbenilde</a>,</P> <P>RDP can utilize TCP or UDP, so what you're seeing isn't really abnormal. You can disable the ability to utilize UDP for RDP via Group Policy, in fact for performance reasons it's actually something that I recommend anyone using PAN and GlobalProtect do as I've found it provides the best performance.</P> <P>As <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/195187">@mshekh</a> mentioned, the first thing that you'll want to look at is the actual log file that was generated. The traffic logs by default filter on receive_time, however for RDP you really should be looking at the actual log details themselves and looking for the start time if you're trying to locate associated events on the other end. Rules by default will only have log-end enabled; what I generally recommend is that you enable log-start on RDP rules in addition to log-end so that you can easily see if a session is on-going without having to look at the session table.</P> Fri, 10 Jan 2025 15:00:06 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/delayed-traffic-logging/m-p/1002684#M5363 BPry 2025-01-10T15:00:06Z