https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566476#M114477 <P>Hello everyone,</P> <P>&nbsp;</P> <P>We are facing a strange problem with one of our PA-220.</P> <P>I created a rule to allow all traffic between 2 different zones with our default log settings. The problem is that I only see a hand full hits and nothing in the traffic log.</P> <P>Yes there is traffic because I see it when I start the paket capture. There is traffic in booth directions. When I disable the created policy I also see droped traffic in the "interzone-default deny" policy. After enabling the policy I didn't see the deny that traffic anymore because the rule match. I also tried the "Test Policy Match" and it shows also the created rule.</P> <P>The traffic I'm searching is SIP Port 5060. The same policy match for example ICMP Ping which I see in the Traffic log!</P> <P>&nbsp;</P> <P>Anyone an idea why I didn't see my SIP traffic but ICMP traffic?</P> <P>&nbsp;</P> <P>Thank you</P> Tue, 21 Nov 2023 12:06:39 GMT ARiegebauer 2023-11-21T12:06:39Z https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566476#M114477 <P>Hello everyone,</P> <P>&nbsp;</P> <P>We are facing a strange problem with one of our PA-220.</P> <P>I created a rule to allow all traffic between 2 different zones with our default log settings. The problem is that I only see a hand full hits and nothing in the traffic log.</P> <P>Yes there is traffic because I see it when I start the paket capture. There is traffic in booth directions. When I disable the created policy I also see droped traffic in the "interzone-default deny" policy. After enabling the policy I didn't see the deny that traffic anymore because the rule match. I also tried the "Test Policy Match" and it shows also the created rule.</P> <P>The traffic I'm searching is SIP Port 5060. The same policy match for example ICMP Ping which I see in the Traffic log!</P> <P>&nbsp;</P> <P>Anyone an idea why I didn't see my SIP traffic but ICMP traffic?</P> <P>&nbsp;</P> <P>Thank you</P> Tue, 21 Nov 2023 12:06:39 GMT https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566476#M114477 ARiegebauer 2023-11-21T12:06:39Z https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566478#M114478 <P>are your sip sessions long lived? a log is only created once a session ends so you wont see anything as long as the session is active</P> <P>you can trace your sessions via `show session all filter source x destination y' (or from zoneX to zoneY)</P> Tue, 21 Nov 2023 12:18:31 GMT https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566478#M114478 reaper 2023-11-21T12:18:31Z https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566479#M114479 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/173549">@ARiegebauer</a> ,</P> <P>&nbsp;</P> <P>The solution is most likely what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a> said.&nbsp; In addition to the CLI he mentioned you can see the sessions:</P> <P>&nbsp;</P> <OL> <LI>Under Monitor &gt; Session Browser (active sessions)</LI> <LI>If you really want to see the logs in the traffic log you can check the Log at Session Start box in addition to Log at Session end for the 1 security policy rule.&nbsp; This "<SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">puts extra load on the management plane's CPU</SPAN></SPAN>" but should be fine for only 1 rule.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC</A></LI> </OL> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 21 Nov 2023 12:30:56 GMT https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566479#M114479 TomYoung 2023-11-21T12:30:56Z https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566481#M114480 <P>I see a session in the session browser. Does it mean that there is an active session since 23:13:07 and it is still open and it should work?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 21 Nov 2023 12:48:53 GMT https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566481#M114480 ARiegebauer 2023-11-21T12:48:53Z https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566483#M114481 <P>Exactly!</P> Tue, 21 Nov 2023 13:06:32 GMT https://live.paloaltonetworks.com/t5/general-topics/no-logs-for-matched-rule/m-p/566483#M114481 TomYoung 2023-11-21T13:06:32Z