https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92171#M43697 <P>I think session table shows up to 1024 sessions at once.</P><P>If you don't have too many sessions then you could export from cli.</P><P>show session all start-at 1</P><P>show session all start-at 1025</P><P>etc</P><P>&nbsp;</P><P>By the way ACC data comes directly from dataplane and it does not matter if sec policy has "log at session start" and "log at session end" checked - ACC still shows everything. ACC is not real time - it has 15 min delay.</P><P>&nbsp;</P> Sat, 25 Jun 2016 15:25:28 GMT Raido_Rattameister 2016-06-25T15:25:28Z https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92145#M43694 <P>Hello,</P><P>&nbsp;</P><P>I am trying to identify those long live sessions on my firewall, &nbsp;I mean those session(s) that never ended for weeks at a time.</P><P>&nbsp;</P><P>This is what I found out so far.</P><P>&nbsp;</P><P>1. &nbsp;I can't export the whole session log to perform offline analysis,</P><P>2, &nbsp;I did not find anything related to session start time as filter under show session all filter.</P><P>3. &nbsp;ACC will only record when a session is closed, I don't believe ACC will show that session data (session #, packets used, bytes used) until the session is ended.</P><P>&nbsp;</P><P>Any suggestion? &nbsp;</P><P>&nbsp;</P><P>Thanks in advanced,</P><P>&nbsp;</P><P>E&nbsp;</P> Sat, 25 Jun 2016 11:56:14 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92145#M43694 nextgenhappines 2016-06-25T11:56:14Z https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92171#M43697 <P>I think session table shows up to 1024 sessions at once.</P><P>If you don't have too many sessions then you could export from cli.</P><P>show session all start-at 1</P><P>show session all start-at 1025</P><P>etc</P><P>&nbsp;</P><P>By the way ACC data comes directly from dataplane and it does not matter if sec policy has "log at session start" and "log at session end" checked - ACC still shows everything. ACC is not real time - it has 15 min delay.</P><P>&nbsp;</P> Sat, 25 Jun 2016 15:25:28 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92171#M43697 Raido_Rattameister 2016-06-25T15:25:28Z https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92191#M43700 <P>Raido,</P><P>&nbsp;</P><P>I thought about that, but the firewall have about 1 million active sessions &nbsp;+/- &nbsp;250k at any given time. &nbsp; &nbsp;I was trying to look up how does ACC work, do you have a link to a techdoc? &nbsp; For sure, &nbsp;I am seeing long live session does not show up on ACC until the session is closed.</P><P>&nbsp;</P><P>-E</P> Sat, 25 Jun 2016 17:53:19 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92191#M43700 nextgenhappines 2016-06-25T17:53:19Z https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92336#M43710 <P>How about using custom report?</P><P>If you select 'traffic log (detailed log, not summary database), you can use one column named 'elapsed time (sec)'.</P><P>&nbsp;</P> Mon, 27 Jun 2016 05:50:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92336#M43710 emr_1 2016-06-27T05:50:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92430#M43719 <P>In this case all security policies should have "log at session start" that is not default.</P><P>It is nice option but writes a lot more log and log retention period is shorter.</P> Mon, 27 Jun 2016 10:33:07 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92430#M43719 Raido_Rattameister 2016-06-27T10:33:07Z https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92469#M43723 <P>I will need to try the custom report. &nbsp; Thanks for the tips.</P> Mon, 27 Jun 2016 14:00:04 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/92469#M43723 nextgenhappines 2016-06-27T14:00:04Z https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/541747#M111021 <P>How about using the XML API calls on the firewall and filtering by min-age?</P> <P>&nbsp;</P> <P>604800 seconds is a week.</P> <P><BR />/api/?type=op&amp;cmd=&lt;show&gt;&lt;session&gt;&lt;all&gt;&lt;filter&gt;&lt;min-age&gt;604800&lt;/min-age&gt;&lt;/filter&gt;&lt;/all&gt;&lt;/session&gt;&lt;/show&gt;</P> Wed, 10 May 2023 19:42:18 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-identify-long-live-session-s/m-p/541747#M111021 William-Wu 2023-05-10T19:42:18Z