https://live.paloaltonetworks.com/t5/general-topics/identify-policy-deny-source/m-p/208306#M60978 <P>I am seeing some decrypted sessions hitting an allow rule, but the session end reason gets logged as a "policy-deny".&nbsp; Here is a screenshot of one example:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="policy deny.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14592i781238F348703B52/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="policy deny.PNG" alt="policy deny.PNG" /></span></P><P>In the above example, rule "outbound" is configured as:</P><P>Source Zone: MSUN</P><P>Source Address: Any</P><P>Destination Zone: Charter</P><P>Destination Address: Any</P><P>Application: Any</P><P>Service: Any</P><P>Action: Allow</P><P>Security Profile: Security Group 1</P><P>&nbsp;</P><P>How do I go about finding the reason this traffic is getting denied?&nbsp; I've been told to check the URL Filtering log, but I'm not finding any matching logs for this session there.</P> Fri, 30 Mar 2018 20:49:38 GMT CastawayKid 2018-03-30T20:49:38Z https://live.paloaltonetworks.com/t5/general-topics/identify-policy-deny-source/m-p/208306#M60978 <P>I am seeing some decrypted sessions hitting an allow rule, but the session end reason gets logged as a "policy-deny".&nbsp; Here is a screenshot of one example:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="policy deny.PNG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14592i781238F348703B52/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="policy deny.PNG" alt="policy deny.PNG" /></span></P><P>In the above example, rule "outbound" is configured as:</P><P>Source Zone: MSUN</P><P>Source Address: Any</P><P>Destination Zone: Charter</P><P>Destination Address: Any</P><P>Application: Any</P><P>Service: Any</P><P>Action: Allow</P><P>Security Profile: Security Group 1</P><P>&nbsp;</P><P>How do I go about finding the reason this traffic is getting denied?&nbsp; I've been told to check the URL Filtering log, but I'm not finding any matching logs for this session there.</P> Fri, 30 Mar 2018 20:49:38 GMT https://live.paloaltonetworks.com/t5/general-topics/identify-policy-deny-source/m-p/208306#M60978 CastawayKid 2018-03-30T20:49:38Z https://live.paloaltonetworks.com/t5/general-topics/identify-policy-deny-source/m-p/208320#M60979 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77499">@CastawayKid</a></P><P>&nbsp;</P><P>In a normal situation the url filtering log would be a good start. Even better would be to use the unified log view in such a case, as it shows all logtypes in one view. This way you probably see the problem way earlier than searching through the diffetent logs independently.</P><P>&nbsp;</P><P>The "issue" you are facing here is a little more complex, because there actually is no other log entry than the one in your screenshot. If you really want to know what happens you need to dig deeper: with packet captures to check what the client and server actually send and with a flow basic analysis so see what the firewall is doing with the server and/or client traffic.</P><P>&nbsp;</P><P>But for exactly this situation I already created a TAC case a while ago and the reason simply is: there is a decryption problem happening here.</P><P>Because of some reason the firewall is not able to decrypt this session, so the traffic (action allow comes from the security policy) is denied by the decryption policy.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P><P>&nbsp;</P><P>PS: The actual answer from TAC I have posted here (the last post in this topic):&nbsp;<A href="https://live.paloaltonetworks.com/t5/General-Topics/Action-and-Session-End-Reason-conflict-when-SSL-decryption/m-p/163593#M52946" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/Action-and-Session-End-Reason-conflict-when-SSL-decryption/m-p/163593#M52946</A></P> Sat, 31 Mar 2018 12:12:54 GMT https://live.paloaltonetworks.com/t5/general-topics/identify-policy-deny-source/m-p/208320#M60979 Remo 2018-03-31T12:12:54Z https://live.paloaltonetworks.com/t5/general-topics/identify-policy-deny-source/m-p/208396#M60999 <P>Alright, thank you for the response and information from your Support experience.</P> Mon, 02 Apr 2018 14:42:17 GMT https://live.paloaltonetworks.com/t5/general-topics/identify-policy-deny-source/m-p/208396#M60999 CastawayKid 2018-04-02T14:42:17Z