topic Re: New Feature request or ? in General Topics

New Feature request or ?

Alex_Samad — Sun, 16 Sep 2018 10:03:42 GMT

I would like to have apolicy that just logs and does nothing else - ie the packet keeps getting evaluated.

some times I want to know there is packet there but not process it with that line.

Can this be done already ?

Re: New Feature request or ?

kiwi — Mon, 17 Sep 2018 12:15:39 GMT

Hi @Alex_Samad,

Policies are always evaluated.

I'm guessing you're looking for a tap interface :

https://live.paloaltonetworks.com/t5/Community-Blog/What-s-a-TAP-interface-and-what-can-it-do/ba-p/160019

If this isn't what you're looking for then I'd recommend filing a feature request.

Cheers !

-Kiwi.

Re: New Feature request or ?

Remo — Mon, 17 Sep 2018 15:07:55 GMT

@Alex_Samad wrote:
some times I want to know there is packet there but not process it with that line.

What do you mean exactly with that?

As @kiwi already wrote a TAP interface or a simple any any allow policy with an application override rule may be something for you...

Re: New Feature request or ?

Alex_Samad — Mon, 17 Sep 2018 21:50:13 GMT

Don't think i have worded it properly.

I want to add a policy say at the top that does match but doesn't allow the packet - just matches and say marks it or logs it . but then the packet/ stream still get evaluated later.

Re: New Feature request or ?

gwesson — Mon, 17 Sep 2018 22:27:24 GMT

Logging every new packet will likely flood you with logs that aren't really valuable, but you can do it. For each policy that will be evaluated, select "Log at session start" under the Actions tab in the security rule.

Every single new packet that gets installed as a new session will be logged before the rules themselves are processed. This will increase the load on the management plane, because of the extra logging. It will also reduce the number of completed logs you can store, since you're effectively logging everything twice.

What problem are you trying to solve? Maybe your use case will help the community understand the goal, and get you there without using the policy approach you're attempting.

Re: New Feature request or ?

Alex_Samad — Mon, 17 Sep 2018 23:59:23 GMT

Sorry that seems a but silly I already log all polices so currently each packet creates 1 log entry. so if I wasn stupid and added any any log then I would double the amount of logging.

sorry what extra logging. each packet is processed as it is already

For example in iptables I can have chains that process lines and just log them. so lets say I want to see all the packets from a specif host that meet a specific criteria. but I don't want to allow it I just want to register it in the logs and then have the normal process of the rules happen

Re: New Feature request or ?

Alex_Samad — Thu, 20 Sep 2018 00:58:02 GMT

Lets say for example I want to capture all traffic from a specific location to a specific dest.. but I don't want the rule to allow, just to log. I would place this at the top of the policies

Re: New Feature request or ?

kiwi — Thu, 20 Sep 2018 07:23:17 GMT

@Alex_Samad,

Not possible in the way you're describing it as far as I know. The rule will always be evaluated as per the action you configured on it.

I'd use the TAP solution as proposed earlier or a 3rd party solution like SNORT could maybe help you.

Cheers !

-Kiwi.

Re: New Feature request or ?

Alex_Samad — Thu, 20 Sep 2018 07:27:26 GMT

Yep I understand its not possible now.

Thats why i raised this. the action could be to continue and log ?

But I get the impression its not something people might want 🙂

Re: New Feature request or ?

kiwi — Thu, 20 Sep 2018 07:30:25 GMT

@Alex_Samad,

I can see how this can be usefull 🙂

It wouldn't hurt asking your local SE to file a feature request for this.

If it gets enough votes then it might be added to a future release.

Cheers !

-Kiwi.