How to Identify If there was an allowed traffic from external suspicious IP in Panorama.

Naveen4025 — Fri, 30 Jun 2023 02:54:08 GMT

Hello All,

I'm a bit confused to understand the exact process. When monitoring the traffic from an external source ip (malicious one) and checking the logs in Pano see that session end reason was "tc-fin" and type was either "drop or end" with action being "allowed".

Does this mean that , traffic has been blocked by the firewall or dropped by the firewall ?
In what cases, can I come to know if the traffic is allowed and a session made by a external suspicious ip towards internal IP

Please help me in this clarification.

Re: How to Identify If there was an allowed traffic from external suspicious IP in Panorama.

reaper — Fri, 30 Jun 2023 07:15:07 GMT

tcp-fin means the session was graciously ended, which means the initial connection was allowed

a session that was blocked will have 'deny' or 'drop' in the action

'end' in the type is an allowed session, 'drop' or'deny' in the type is a blocked session

can you please provide a screenshot of what you're seeing?

topic Re: How to Identify If there was an allowed traffic from external suspicious IP in Panorama. in General Topics

How to Identify If there was an allowed traffic from external suspicious IP in Panorama.

Re: How to Identify If there was an allowed traffic from external suspicious IP in Panorama.