topic Re: explanation of a paloalto log in General Topics https://live.paloaltonetworks.com/t5/general-topics/explanation-of-a-paloalto-log/m-p/179542#M55695 <P>Is it possible a collumn was shifted and this is actually the byte count? what is shown in the GUI if you open the detailed view of this log?</P> <P>Normally 'from-policy' should be located in the collumn 'action_source' (meaning 'who decided what to do with this session'), so I believe your log collumns are incorrect</P> <P>&nbsp;</P> <P>secondly: The log is regarding a non-syn-tcp packet. This type of packet is normally discarded as it is not part of a normal session and can be malicious. In this case it is being allowed through so it appears you have a manual override in place to temporarily allow these packets.</P> <P>&nbsp;</P> <P>I'd recommend re-enabling the tcp check to drop these types of packets</P> Mon, 02 Oct 2017 08:44:37 GMT reaper 2017-10-02T08:44:37Z explanation of a paloalto log https://live.paloaltonetworks.com/t5/general-topics/explanation-of-a-paloalto-log/m-p/179450#M55685 <P>&nbsp;</P><PRE>2017/06/07 10:40:02,TRAFFIC,end,10.100.28.51,183.61.xxx.xxx,Inside-to-Outside,15523xxx,,non-syn-tcp,80,tcp,allow,384,384,0,7,2017/06/07 10:36:53,any,6469463962,0x0,10.0.0.0-10.255.255.255,0,0,from-policy 1 "ReceiveTime" = 2017/06/07 10:40:02, 2 "Type" = TRAFFIC 3 "ThreatContentType" = end 4 "SourceAddress" = 10.100.28.51 5 "DestinationAddress" = 183.61.xxx.xxx 6 "Rule" = Inside-to-Outside 7 "SourceUser" = 15523xxx 8 "DestinationUser" = - 9 "Application" = non-syn-tcp 10 "DestinationPort" = 80 11 "IPProtocol" = tcp 12 "Action" = allow 13 "URL" = 384 14 "ThreatContentName" = 384 15 "Category" = 0 16 "Reportid" = 7 17 "Severity" = 2017/06/07 10:36:53 18 "Seqno" =any 19"SourceCountry" 6469463962 20"DestinationCountry" =0x0 21"Content" = 10.0.0.0-10.255.255.255 22"ContentType" = 0 23"Filetype" =0 24"Recipient" = from-police</PRE><P>&nbsp;</P><P>i have a log paloalto, but&nbsp;I do not understand some of the intent of the contents of the log. can i explain what is the purpose of url = 384 , ThreatContentName = 384, Category=0,Reportid=7, Severity = 2017/06/07 10:36:53, Recipient = from police.</P><P>is there a paper, documentation or something that discusses it?</P> Sat, 30 Sep 2017 04:55:02 GMT https://live.paloaltonetworks.com/t5/general-topics/explanation-of-a-paloalto-log/m-p/179450#M55685 BaharudinYusuf 2017-09-30T04:55:02Z Re: explanation of a paloalto log https://live.paloaltonetworks.com/t5/general-topics/explanation-of-a-paloalto-log/m-p/179542#M55695 <P>Is it possible a collumn was shifted and this is actually the byte count? what is shown in the GUI if you open the detailed view of this log?</P> <P>Normally 'from-policy' should be located in the collumn 'action_source' (meaning 'who decided what to do with this session'), so I believe your log collumns are incorrect</P> <P>&nbsp;</P> <P>secondly: The log is regarding a non-syn-tcp packet. This type of packet is normally discarded as it is not part of a normal session and can be malicious. In this case it is being allowed through so it appears you have a manual override in place to temporarily allow these packets.</P> <P>&nbsp;</P> <P>I'd recommend re-enabling the tcp check to drop these types of packets</P> Mon, 02 Oct 2017 08:44:37 GMT https://live.paloaltonetworks.com/t5/general-topics/explanation-of-a-paloalto-log/m-p/179542#M55695 reaper 2017-10-02T08:44:37Z