https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68610#M39995 <P>disabled rules are not active in the system, this can be seen through the following command:</P> <P>&nbsp;</P> <PRE>&gt; show running security-policy</PRE> <P>If the disabled rule is at the bottom of the policy it could be that the incomplete session "hits" these for logging purposes</P> <P>&nbsp;</P> <P>What happens is that the system accepts a syn packet and starts building up a session once the syn packet is allowed to pass throught</P> <P>If then the session is disrupted, the process of properly building the session and matching an appropriate App-ID and security policy fails and the session is discarded. The system then will still create a log entry and will need to have a 'rule' but since the session was disrupted before a security&nbsp; policy was properly matched, it will not have a proper security policy to add to the log. it can either use a security policy that was matched for the initial handshake, or if it matched an implied rule, one of the last rules in the policy.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>tom</P> Wed, 25 Nov 2015 08:56:08 GMT reaper 2015-11-25T08:56:08Z https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68545#M39956 <P>Hi,</P> <P>&nbsp;</P> <P>Under monitoring , still disabled policy rules matching to some some session . <BR />And the session status are most of them 'incomplete' .<BR />Why ? <BR />Thanks</P> Tue, 24 Nov 2015 15:29:49 GMT https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68545#M39956 sib2017 2015-11-24T15:29:49Z https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68589#M39981 <P>This article gives the full definitions for incomplete status. &nbsp;Basically, there is either not a full tcp handshake or not enough data to identify the flow.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711</A></P> Tue, 24 Nov 2015 23:32:00 GMT https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68589#M39981 pulukas 2015-11-24T23:32:00Z https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68607#M39993 <P>Are you saying traffic is matching disabled rules?</P> Wed, 25 Nov 2015 06:41:06 GMT https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68607#M39993 gtomte 2015-11-25T06:41:06Z https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68610#M39995 <P>disabled rules are not active in the system, this can be seen through the following command:</P> <P>&nbsp;</P> <PRE>&gt; show running security-policy</PRE> <P>If the disabled rule is at the bottom of the policy it could be that the incomplete session "hits" these for logging purposes</P> <P>&nbsp;</P> <P>What happens is that the system accepts a syn packet and starts building up a session once the syn packet is allowed to pass throught</P> <P>If then the session is disrupted, the process of properly building the session and matching an appropriate App-ID and security policy fails and the session is discarded. The system then will still create a log entry and will need to have a 'rule' but since the session was disrupted before a security&nbsp; policy was properly matched, it will not have a proper security policy to add to the log. it can either use a security policy that was matched for the initial handshake, or if it matched an implied rule, one of the last rules in the policy.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>tom</P> Wed, 25 Nov 2015 08:56:08 GMT https://live.paloaltonetworks.com/t5/general-topics/disabled-policy-rules/m-p/68610#M39995 reaper 2015-11-25T08:56:08Z