https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71448#M40797 <P>If this is a user and&nbsp;you're seeing a lot of threat logs matching his or her IP address, it would certainly warrant you taking a look and running a couple of virus scans on the machine</P> <P>&nbsp;</P> Fri, 22 Jan 2016 14:17:06 GMT reaper 2016-01-22T14:17:06Z https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71440#M40792 <P>I have traffic that is showing up and allowed and dropped. What does that mean?</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 22 Jan 2016 13:17:48 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71440#M40792 jdprovine 2016-01-22T13:17:48Z https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71441#M40793 <P>Hi</P> <P>&nbsp;</P> <P>Could you show us an example through a screenshot ?</P> <P>It may be that you have logging set to start and end of session and that a connection is first being allowed but later denied due to the application morphing into a blocked app</P> Fri, 22 Jan 2016 13:21:35 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71441#M40793 reaper 2016-01-22T13:21:35Z https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71443#M40794 <P>Yes here it is&nbsp;<IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2166i562A4E78C1BCF339/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="allowblock.png" title="allowblock.png" /></P> Fri, 22 Jan 2016 13:49:04 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71443#M40794 jdprovine 2016-01-22T13:49:04Z https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71446#M40795 <P>if you look at the bottom 2 lines, you can see that in the column 'log' you have a threat entry and a traffic entry</P> <P>this means that the initial dns connection was allowed to go out to the internet, but then a malicious dns query was detected by a security profile (spyware) and blocked.</P> <P>&nbsp;</P> <P>there are 2 different databases that collect log information regarding a session:</P> <UL> <LI><SPAN style="font-size: 12.88px; line-height: 18.4px;">traffic log: this simply records if a tcp connection is allowed through or not by security policy</SPAN></LI> <LI><SPAN style="font-size: 12.88px; line-height: 18.4px;">threat log: this records, independently of the traffic log, if a threat is detected and which action is taken, if any</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN style="font-size: 12.88px; line-height: 18.4px;">so it's possible a sssion is allowed through by a security policy, but then after it has aleready started gets blocked because a threat is detected</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>hope this helps</P> <P>Tom</P> Fri, 22 Jan 2016 13:58:39 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71446#M40795 reaper 2016-01-22T13:58:39Z https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71447#M40796 <P>So as long as the users has spyware on his machine he will continue to back on the door of the PA and then get denied. According to the predefined report the user is number 5 of the top sessions on the PA should I be concerned about that?</P> Fri, 22 Jan 2016 14:10:19 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71447#M40796 jdprovine 2016-01-22T14:10:19Z https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71448#M40797 <P>If this is a user and&nbsp;you're seeing a lot of threat logs matching his or her IP address, it would certainly warrant you taking a look and running a couple of virus scans on the machine</P> <P>&nbsp;</P> Fri, 22 Jan 2016 14:17:06 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71448#M40797 reaper 2016-01-22T14:17:06Z https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71449#M40798 <P>I agree but my helpdesk did not LOL.&nbsp;</P> Fri, 22 Jan 2016 14:20:47 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-and-then-drop/m-p/71449#M40798 jdprovine 2016-01-22T14:20:47Z