GUI Showing Zero Byte Sessions in the Session Table
17232
Created On 09/26/18 13:54 PM - Last Modified 06/03/21 17:35 PM
Symptom
Some sessions in the WebUI as well as CLI show zero bytes.
Viewing session details via CLI reveals the following:
Session 342567 c2s flow: source: 0.0.0.0 [boe-trust] dst: 74.125.228.70 proto: 6 sport: 0 dport: 6081 state: ACTIVE type: PRED src user: unknown dst user: unknown s2c flow: source: 74.125.228.70 [boe-untrust] dst: 0.0.0.0 proto: 6 sport: 6081 dport: 0 state: OPENING type: PRED src user: unknown dst user: unknown start time : Wed Sep 19 12:02:15 2012 timeout : 60 sec time to live : 10 sec total byte count(c2s) : 0 total byte count(s2c) : 0 layer7 packet count(c2s) : 0 layer7 packet count(s2c) : 0 vsys : vsys5 application : undecided rule : application db : 0 session to be logged at end : False session in session ager : True session synced from HA peer : False address/port translation : source + destination nat-rule : global-nat(vsys5) prediction triggered by : server prediction matched once : False
Environment
PAN-OS
Resolution
Resolution
The sessions listed above from the CLI output are "Predict" sessions. It is normal expected behavior for predict sessions to show zero bytes.
A predict session is a session that was opened for expected traffic to eventually hit the firewall using the 6-tuple listed in the predict session.
Once traffic matches that predict session, the predict session turns into an active flow which is a "real" session. Until then, zero bytes is normal and expected.