8.1.2 file-blocking / logging traffic direction

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

8.1.2 file-blocking / logging traffic direction

L1 Bithead

Hi all,

 

after updating from 8.0.x to 8.1.2 we noticed the following behaviour:

 

In the Data Filtering Monitor the direction of the traffic has moved.

Connections previously shown as 'from internt to lan' are now shown as 'from lan to internet'.

This when downloading a file.

A colleague just remembered that there was a notice that all traffic logs will be changed to be in the same order.

But I did not find this in the release notes.

 

I have a file blocking profile configured to the internet policy which matches my connection.

This policy will deny uploads and allow downloads.

But after the update the download is blocked.

 

So it looks like the logging of the traffic was changed but these direction will not be noticed for file blocking correctly.

Does anyone notice a similar problem?

 

I am sorry I can not test if the upload is working now, instead.

 

Kind regards,

Andi

3 REPLIES 3

L7 Applicator

You're correct, there was a change in 8.1 for the directionality, but I also cannot find any specific documentation on this.

 

The direction of certain logs was purposefully altered in 8.0 and older to help readability for logs like Threat and Data. The "source" and "destination" fields are changed to "Attacker" and "Victim", and because the victim is generally the user (not the external web server) that swap makes sense.

 

Here's a good article discussing it:

https://live.paloaltonetworks.com/t5/Management-Articles/Threat-Logs-Show-Inverted-Reversed-Directio...

 

The problem was that in 8.0 the Unified Logs page was added, allowing admins to review all the different logs in one place. When the Threat and Data logs were viewed along with the Traffic log, the swapping of addresses loses its context because the Unified Log page only has one field for each IP ("Source address" and "Destination address").

 

Thus, 8.1 stops doing that so the Unified Logs don't have a weirdly swapped source/destination ip/port. If you've still got an 8.0 firewall check out the columns in the Threat Log and you'll see Attacker and Victim instead of Source Address and Destination Address.

Thanks for the additional detail @gwesson !

 

I've historically used log filters such as (addr in x.x.x.x) in the unified log.    

 

That way, it catches any of the logs relating to x.x.x.x either as "source" or "destination"... this includes both uploads & downloads, client/tcp-initiator & server, attacker & victim, etc.  

 

I'll have to keep an eye out for the changes in 8.1.  

Thank you gwesson for the detailed description.

I will have a deeper look into it at different Pan-OS versions.

 

Best regards,

Andreas

  • 3419 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!