topic Re: Bittorent session identification in General Topics

Bittorent session identification

lauro7 — Fri, 09 Mar 2012 11:45:48 GMT

On PA-500 with PAN-OS 4.0.7, I have seen a session on dashboard-top application-last hour, but in corresponding ACC and in Monitor Traffic Log I don't find a record session. There is any reason ? Thanks

Re: Bittorent session identification

mikand — Fri, 09 Mar 2012 23:28:36 GMT

How did you search for it in the traffic log?

Re: Bittorent session identification

lauro7 — Sat, 10 Mar 2012 09:29:31 GMT

I searched for it by a filter in traffic monitor as (app eq bittorrent). But today I found a similar problem with another app: sip, with only 4 session displayed on top-appl on dashboard and no records in ACC and in traffic monitor. I attach some screenshots from dashboard, ACC and monitor traffic.

Re: Bittorent session identification

mikand — Sat, 10 Mar 2012 09:48:47 GMT

I assume you simply clicked on the sip area in the "top applications" in dashboard and ended up in the second screenshot?

My first thought then was that you would need to modify "Time" (which is currently Last Hour) but the top applications in dashboard is also regarding last hour so that shouldnt matter.

Can you verify that you in your security rules have enabled logging (this is made per security rule, you would also need to add a default deny in the end and configure that to log aswell since the "hidden" last rule (not visible in GUI) which does default deny have logging turned off)?

As a debug enable logging for both session start and session end (later in production you would normally just need logging on session end (if you want to keep logvolumes down) because then you get additional info such as session length and datavolume transmitted which session start lacks).

I think you need to have logging enabled in your security rules for the traffic to show up in the traffic log.

However the ACC shouldnt be empty...

I guess you have already verified that your PAN box have downloaded the latest app-db and such (and you also commited after the download)?

Also is it possible for you to update to latest 4.1.x (I think its currently 4.1.4 or so) just to rule out any known bugs?

Re: Bittorent session identification

lauro7 — Sat, 10 Mar 2012 13:57:32 GMT

I have done troubleshooting of the ghost sessions and I found this:

the bittorent and sip traffic come in from the Internet zone to Internet zone (the reason of this is still unknown)
I didn't find records into traffic monitor because there wasn't any security policy that matched and logged that traffic
although the policy wasn't set, the dashboard showed that applications on the top-app, because there was a bit of traffic from Trust Zone to Internet Zone and then, in that circumstance, sip and bittorrent were top-app.
ACC anyway didn't show any record of sip and bittorrent within that time period (none in last-hour, none in last-day,...) : is this behaviour dependent on the enabled logging in the security policy ?

What do you think about ?

Thanks

Re: Bittorent session identification

jdelio — Thu, 05 Apr 2012 19:59:35 GMT

You asked:

"is this behaviour dependent on the enabled logging in the security policy ?"

Answer:

Yes, Just like URL filtering.. it cannot report upon something unless you are logging the traffic inside of a security policy.

Also, if traffic same zone to same zone, it will also not report and will be allowed by default.. but you prob already knew that one.