topic Re: 8.1.2 file-blocking / logging traffic direction in General Topics

8.1.2 file-blocking / logging traffic direction

ABux — Tue, 03 Jul 2018 13:28:10 GMT

Hi all,

after updating from 8.0.x to 8.1.2 we noticed the following behaviour:

In the Data Filtering Monitor the direction of the traffic has moved.

Connections previously shown as 'from internt to lan' are now shown as 'from lan to internet'.

This when downloading a file.

A colleague just remembered that there was a notice that all traffic logs will be changed to be in the same order.

But I did not find this in the release notes.

I have a file blocking profile configured to the internet policy which matches my connection.

This policy will deny uploads and allow downloads.

But after the update the download is blocked.

So it looks like the logging of the traffic was changed but these direction will not be noticed for file blocking correctly.

Does anyone notice a similar problem?

I am sorry I can not test if the upload is working now, instead.

Kind regards,

Andi

Re: 8.1.2 file-blocking / logging traffic direction

gwesson — Thu, 05 Jul 2018 22:03:14 GMT

You're correct, there was a change in 8.1 for the directionality, but I also cannot find any specific documentation on this.

The direction of certain logs was purposefully altered in 8.0 and older to help readability for logs like Threat and Data. The "source" and "destination" fields are changed to "Attacker" and "Victim", and because the victim is generally the user (not the external web server) that swap makes sense.

Here's a good article discussing it:

https://live.paloaltonetworks.com/t5/Management-Articles/Threat-Logs-Show-Inverted-Reversed-Direction-for-Source-and/ta-p/55493

The problem was that in 8.0 the Unified Logs page was added, allowing admins to review all the different logs in one place. When the Threat and Data logs were viewed along with the Traffic log, the swapping of addresses loses its context because the Unified Log page only has one field for each IP ("Source address" and "Destination address").

Thus, 8.1 stops doing that so the Unified Logs don't have a weirdly swapped source/destination ip/port. If you've still got an 8.0 firewall check out the columns in the Threat Log and you'll see Attacker and Victim instead of Source Address and Destination Address.

Re: 8.1.2 file-blocking / logging traffic direction

jvalentine — Thu, 05 Jul 2018 22:58:44 GMT

Thanks for the additional detail @gwesson !

I've historically used log filters such as (addr in x.x.x.x) in the unified log.

That way, it catches any of the logs relating to x.x.x.x either as "source" or "destination"... this includes both uploads & downloads, client/tcp-initiator & server, attacker & victim, etc.

I'll have to keep an eye out for the changes in 8.1.

Re: 8.1.2 file-blocking / logging traffic direction

ABux — Mon, 09 Jul 2018 07:22:14 GMT

Thank you gwesson for the detailed description.

I will have a deeper look into it at different Pan-OS versions.

Best regards,

Andreas