topic PRe: Session End reason & Application Status in General Topics

Session End reason & Application Status

ndeshmukh — Tue, 07 Aug 2018 06:11:53 GMT

I would like to know about Palo Alto firewall Session End reason, why we are getting those reasons & how we can resolve the issue.

For example:

tcp-rst-from-client—> it mean the client sent a TCP reset to the server.

tcp-rst-from-server—> it mean the server sent a TCP reset to the client.

Aged-Out -> Session Time out

But I am looking for the solution how we can resolve that issue

Simillarly I would like to know about Application status:

What exactly mean by "Incomplete", "Unknow" & so on... How we can resolve these issue.

Your help would be greatly appreciated.

Re: Session End reason & Application Status

santonic — Tue, 07 Aug 2018 07:27:54 GMT

For session end reason you don't have to do anything on PA (unless it's actually denied by PA). And reset (either by server or client) is a normal ending of TCP session. Session time out is also a normal occurence for non TCP sessions. So no action is needed there, these are just helpful info PA provides.

Incomplete means TCP 3 way handhsake didn't finish. It can be either routing issue or just destination server not listening on that port.

Unknown-tcp (or -udp) means there is some traffic passing through FW but PA can't recognise the application. These are the cases you should investigate; what is at source IP, which service is listening at destination IP, maybe do a packet capture for this traffic...

Idea is to identify the traffic as you don't want any unknown traffic in your network. Once you identify it and find the reason you can either block it or tell PA how to identify it (by Application Override or with custom application signature).

Re: Session End reason & Application Status

Remo — Tue, 07 Aug 2018 21:52:23 GMT

Incomplete could also mean that the tcp handshake did finish and then the server resets the connection right after that handshake

Re: Session End reason & Application Status

Diyar.m — Thu, 08 Oct 2020 04:39:17 GMT

If I have a ping between client and server, that means I have routing. Is there anything else I have to look at it?

Re: Session End reason & Application Status

SutareMayur — Fri, 09 Oct 2020 13:28:44 GMT

@Diyar.m,

Ping uses ICMP. Normally tcp-rst-from-server or tcp-rst-from-client is related TCP sessions traveling via firewall. Its just showing what was the reason for end of session. As already stated by @santonic It is not palo alto who is doing anything to the session unless it block anything explicitly. Such TCP RST flags are indication of the TCP session end from any side (client/server).

@ndeshmukh,

Incomplete in the Application Field - It means either TCP 3 way handshake between client and server is not completed or the handshake did completed but there was no data to consider or recognize it as a application.

e.g. For Client TCP Sync, there is not ACK from the server end, it shows incomplete. If you do normal telnet on TCP port and you get the black screen, it means handshake was completed. Such normal telnet sessions also Palo alto will recognize it as incomplete as just handshake got completed but there was no application data after it.

Insufficient - it means there is not enough data packets to identify it as a application.

More details on such application status can be found at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

PRe: Session End reason & Application Status

santonic — Fri, 16 Oct 2020 11:10:41 GMT

@Diyar.m

Ping (ICMP) will survive asymmetric routing, but TCP won't.