8.1.2 file-blocking / logging traffic direction

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

8.1.2 file-blocking / logging traffic direction

Hi all,

 

after updating from 8.0.x to 8.1.2 we noticed the following behaviour:

 

In the Data Filtering Monitor the direction of the traffic has moved.

Connections previously shown as 'from internt to lan' are now shown as 'from lan to internet'.

This when downloading a file.

A colleague just remembered that there was a notice that all traffic logs will be changed to be in the same order.

But I did not find this in the release notes.

 

I have a file blocking profile configured to the internet policy which matches my connection.

This policy will deny uploads and allow downloads.

But after the update the download is blocked.

 

So it looks like the logging of the traffic was changed but these direction will not be noticed for file blocking correctly.

Does anyone notice a similar problem?

 

I am sorry I can not test if the upload is working now, instead.

 

Kind regards,

Andi

Highlighted
L7 Applicator

You're correct, there was a change in 8.1 for the directionality, but I also cannot find any specific documentation on this.

 

The direction of certain logs was purposefully altered in 8.0 and older to help readability for logs like Threat and Data. The "source" and "destination" fields are changed to "Attacker" and "Victim", and because the victim is generally the user (not the external web server) that swap makes sense.

 

Here's a good article discussing it:

https://live.paloaltonetworks.com/t5/Management-Articles/Threat-Logs-Show-Inverted-Reversed-Directio...

 

The problem was that in 8.0 the Unified Logs page was added, allowing admins to review all the different logs in one place. When the Threat and Data logs were viewed along with the Traffic log, the swapping of addresses loses its context because the Unified Log page only has one field for each IP ("Source address" and "Destination address").

 

Thus, 8.1 stops doing that so the Unified Logs don't have a weirdly swapped source/destination ip/port. If you've still got an 8.0 firewall check out the columns in the Threat Log and you'll see Attacker and Victim instead of Source Address and Destination Address.

Highlighted
L7 Applicator

Thanks for the additional detail @gwesson !

 

I've historically used log filters such as (addr in x.x.x.x) in the unified log.    

 

That way, it catches any of the logs relating to x.x.x.x either as "source" or "destination"... this includes both uploads & downloads, client/tcp-initiator & server, attacker & victim, etc.  

 

I'll have to keep an eye out for the changes in 8.1.  

Highlighted
L1 Bithead

Thank you gwesson for the detailed description.

I will have a deeper look into it at different Pan-OS versions.

 

Best regards,

Andreas

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!