Session End reason & Application Status

Reply
L0 Member

Session End reason & Application Status

I would like to know about Palo Alto firewall Session End reason, why we are getting those reasons & how we can resolve the issue.

 

For example:

tcp-rst-from-client—> it mean the client sent a TCP reset to the server.

tcp-rst-from-server—> it mean the server sent a TCP reset to the client.

Aged-Out -> Session Time out

 

But I am looking for the solution how we can resolve that issue

 

 

 

Simillarly I would like to know about Application status:

 

What exactly mean by "Incomplete", "Unknow" & so on... How we can resolve these issue.

 

Your help would be greatly appreciated.

 

 

Highlighted
L5 Sessionator

Re: Session End reason & Application Status

For session end reason you don't have to do anything on PA (unless it's actually denied by PA). And reset (either by server or client) is a normal ending of TCP session. Session time out is also a normal occurence for non TCP sessions. So no action is needed there, these are just helpful info PA provides. 

 

Incomplete means TCP 3 way handhsake didn't finish. It can be either routing issue or just destination server not listening on that port.

 

Unknown-tcp (or -udp) means there is some traffic passing through FW but PA can't recognise the application. These are the cases you should investigate; what is at source IP, which service is listening at destination IP, maybe do a packet capture for this traffic...

Idea is to identify the traffic as you don't want any unknown traffic in your network. Once you identify it and find the reason you can either block it or tell PA how to identify it (by Application Override or with custom application signature).

 

 

 

 

L7 Applicator

Re: Session End reason & Application Status

Incomplete could also mean that the tcp handshake did finish and then the server resets the connection right after that handshake

.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!