https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/451467#M101156 <P><STRONG>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;</STRONG></P><P>Thanks for the great suggestion<STRONG>.</STRONG></P><P>I think it’s behavior of APP-ID check.</P><P>When traffic through firewall, Palo Alto will try to analysis / handshake those packet and visible it, traffic already sent and received at &nbsp;before spyware identification.</P><P>We just set action Drop to mitigate and reduce rate for event occurs, if we haven’t ip layer info.</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P><P>Tyson</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 06 Dec 2021 02:10:19 GMT Tyson-Liu 2021-12-06T02:10:19Z https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/432658#M95887 <P>Hi Everyone&nbsp;</P> <P>&nbsp;</P> <P>we got the problem for session end reason “threat”, cause we detected the coin miner traffic through firewall and transmission to internet, even we saw the session end reason already hit to threat when the spyware traffic initially and threat log show result to drop for same session, but the traffic seems like still pass through to firewall, because we can look the send &amp; receive packet growing up by magnifier.</P> <P>&nbsp;</P> <P>my confused is if the session reason already count to “threat” and threat log action to drop, it should be discard session or not?</P> <P>if yes, why still receive and transmit packet</P> <P>&nbsp;</P> <P>thx</P> <P>&nbsp;</P> <P>Tyson</P> Wed, 08 Sep 2021 18:53:01 GMT https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/432658#M95887 Tyson-Liu 2021-09-08T18:53:01Z https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/432710#M95888 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/162302">@Tyson-Liu</a>&nbsp; for this post.</P> <P>&nbsp;</P> <P>Could you please confirm what signature is getting hit and PAN-OS you are running?</P> <P>Also, when you navigate to session browser under:&nbsp;Monitor &gt; Session Browser can you see the session still alive?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Thu, 09 Sep 2021 04:25:50 GMT https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/432710#M95888 PavelK 2021-09-09T04:25:50Z https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/433039#M95889 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp; Hi&nbsp;</P> <P>It's 86358 threat ID (CoinMiner Command &amp; Control traffic detection) at the PAN-OS 9.0.11 version, the application visibility to json-rpc.</P> <P>&nbsp;</P> <P>we can not replicate traffic because internal rule,&nbsp; but the visit record of&nbsp;malicious site from our security operation center,&nbsp;</P> <P>&nbsp;</P> <P>thanks&nbsp;</P> <P>&nbsp;</P> <P>Tyson</P> Fri, 10 Sep 2021 09:44:41 GMT https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/433039#M95889 Tyson-Liu 2021-09-10T09:44:41Z https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/436377#M96261 <P>Thank you for reply&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/162302">@Tyson-Liu</a>&nbsp; and sorry for getting back to you with delay.</P><P>&nbsp;</P><P>I know you mentioned that you can't reproduce it, however if you come across similar case for different signature as a next action I would recommend to get a session ID and then from CLI issue:&nbsp;show session id &lt;session id&gt; | match count</P><P>&nbsp;</P><P>You will get below output:</P><P>&nbsp;</P><P>total byte count(c2s) :&nbsp;<BR />total byte count(s2c) :&nbsp;<BR />layer7 packet count(c2s) :&nbsp;<BR />layer7 packet count(s2c) :&nbsp;</P><P>&nbsp;</P><P>If you can by re-running this command still see bytes increasing, it is possible that for c2s, the infected client is still sending some traffic hitting this signature.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Fri, 24 Sep 2021 06:03:11 GMT https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/436377#M96261 PavelK 2021-09-24T06:03:11Z https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/451467#M101156 <P><STRONG>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;</STRONG></P><P>Thanks for the great suggestion<STRONG>.</STRONG></P><P>I think it’s behavior of APP-ID check.</P><P>When traffic through firewall, Palo Alto will try to analysis / handshake those packet and visible it, traffic already sent and received at &nbsp;before spyware identification.</P><P>We just set action Drop to mitigate and reduce rate for event occurs, if we haven’t ip layer info.</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P><P>Tyson</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 06 Dec 2021 02:10:19 GMT https://live.paloaltonetworks.com/t5/general-topics/session-end-reason-threat-traffic-allow/m-p/451467#M101156 Tyson-Liu 2021-12-06T02:10:19Z