ACC Data is Not in Sync with Traffic Logs

Issue

The Application Control Center (ACC) is showing information for traffic that does not appear in the traffic logs

Resolution

Traffic visible in the traffic logs require the security policy to be configured to log the data in order for those sessions to be visible in the traffic logs. The information in the ACC is independent of the security policy and will display information for all traffic regardless if the option to log is enabled or not. Same zone traffic, which is allowed by default, is also not logged in the traffic log but those sessions will be included in the ACC reports.

The data for the ACC is retrieved from Appstat DB which is part of the data plane. Every single packet traversing the dataplane will show up in ACC tab. As far as traffic logs are concerned, the data is retrieved from log DB and the logs are generated only if a packet matches a security policy.

If there is an entry for a particular traffic in ACC and no relevant log in traffic logs or late generation of traffic log, the reason for this would be:

1. There is no security policy for the traffic because of which no traffic log is generated.
2. If there is a security policy matching the traffic, the traffic log will be generated. However, the traffic log might not be generated instantly if the management plane is busy and excessive logging taking place on the device. So there would be instances where ACC logs and traffic logs are not in sync.
3. The session's source and destination zone was the same which means it was automatically allowed and not logged.

owner: mvenkatesan