Traffic logs show wrong rule taken in GUI, but is shown as correct in the CLI

Traffic logs show wrong rule taken in GUI, but is shown as correct in the CLI

23698
Created On 09/27/18 09:28 AM - Last Modified 06/01/23 09:02 AM


Resolution


Issue

In GUI, when seeing Monitor > Logs > Traffic, the rule shown is incorrect.

However, when seeing 'show session <session ID>' for the same session ID through CLI, we see that the rule is taking expected rule.

 

It appears that traffic is taking the wrong security policy or that there is inconsistency while processing traffic.

 

Cause

This is an expected behavior.

The firewall tried to match first security rule while still identifying the correct app and decoding the traffic.

Once it is available, the correct rule is shown in GUI after some time.

 

Resolution

  1. Go to the Security Policy rule > Actions tab > Log Setting.
  2. Disable "Log at Session Start" (if enabled).
  3. Only enable "Log at session End."

User-added image
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8rCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language