https://live.paloaltonetworks.com/t5/general-topics/syslog-udp-session-keep-alive/m-p/525436#M108657 <P>&nbsp;</P> <P>When forwarding logs, they are being sent to udp 514. The udp time out is 30 seconds, and the syslog server actually receives packets every 5 seconds. However, <STRONG>I wonder why the firewall keeps the session longer than 30 seconds</STRONG>. When the time is long, it is several minutes or hours, and sometimes the date passes.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="스크린샷 2022-12-29 오후 2.34.03.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46553i713A0AD62D5B5680/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="스크린샷 2022-12-29 오후 2.34.03.png" alt="스크린샷 2022-12-29 오후 2.34.03.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="스크린샷 2022-12-29 오후 2.34.50.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46552i6C5E98EDBF7F0C80/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="스크린샷 2022-12-29 오후 2.34.50.png" alt="스크린샷 2022-12-29 오후 2.34.50.png" /></span></P> Thu, 29 Dec 2022 05:38:11 GMT kimjeonghoon 2022-12-29T05:38:11Z https://live.paloaltonetworks.com/t5/general-topics/syslog-udp-session-keep-alive/m-p/525436#M108657 <P>&nbsp;</P> <P>When forwarding logs, they are being sent to udp 514. The udp time out is 30 seconds, and the syslog server actually receives packets every 5 seconds. However, <STRONG>I wonder why the firewall keeps the session longer than 30 seconds</STRONG>. When the time is long, it is several minutes or hours, and sometimes the date passes.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="스크린샷 2022-12-29 오후 2.34.03.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46553i713A0AD62D5B5680/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="스크린샷 2022-12-29 오후 2.34.03.png" alt="스크린샷 2022-12-29 오후 2.34.03.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="스크린샷 2022-12-29 오후 2.34.50.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46552i6C5E98EDBF7F0C80/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="스크린샷 2022-12-29 오후 2.34.50.png" alt="스크린샷 2022-12-29 오후 2.34.50.png" /></span></P> Thu, 29 Dec 2022 05:38:11 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-udp-session-keep-alive/m-p/525436#M108657 kimjeonghoon 2022-12-29T05:38:11Z https://live.paloaltonetworks.com/t5/general-topics/syslog-udp-session-keep-alive/m-p/525492#M108677 <P>Hello,</P> <P>Its because they are UDP packets/sessions. Here is an article from Palo Alto on this:</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN>When monitoring the traffic logs using&nbsp;&nbsp;</SPAN><I>Monitor &gt; logs &gt; Traffic</I><SPAN>, some traffic is seen with the&nbsp;</SPAN><I>Session End Reason</I><SPAN>&nbsp; as&nbsp;</SPAN><STRONG>aged-out.</STRONG><SPAN>&nbsp; Any traffic that uses UDP or ICMP is seen will have session end reason as&nbsp;</SPAN><STRONG>aged-out<SPAN>&nbsp;</SPAN></STRONG><SPAN>in the traffic log. This is because unlike TCP, there is there is no way for a graceful termination of UDP session and so&nbsp;</SPAN><STRONG>aged-out</STRONG><SPAN>&nbsp;is a legitimate session-end reason for UDP (and ICMP) sessions.&nbsp;</SPAN></P> <P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW</A></SPAN></P> <P><SPAN>Regards,</SPAN></P> <P>&nbsp;</P> Thu, 29 Dec 2022 21:09:04 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-udp-session-keep-alive/m-p/525492#M108677 OtakarKlier 2022-12-29T21:09:04Z https://live.paloaltonetworks.com/t5/general-topics/syslog-udp-session-keep-alive/m-p/525538#M108684 <P>If you add "From port", "Packets sent" and "Packets received" columns you can see that until syslog sender is sending traffic from same source port Palo keeps same session open and packets are gathered under same session.&nbsp;</P> <P>If no new packets in this session for 30 seconds then this session is closed.</P> <P>&nbsp;</P> Fri, 30 Dec 2022 16:51:04 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-udp-session-keep-alive/m-p/525538#M108684 Raido_Rattameister 2022-12-30T16:51:04Z