Action is Reset-Both in the Detail Log view area

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Action is Reset-Both in the Detail Log view area

L3 Networker

Hello everyone question, 

I have been seeing this on the Threat montior area. I just need someone to verify what I am seeing is correct. 

Reset-Both 1.JPG

This shows me that action was reset-both, which tells me file never got inside 

When I look at the Detailed Log View it shows something else. I am thinking that issue was not reset but file did get downloaded. If anyone can help me with this would be great. 

 

I sort this by recieved time, so what I am thinking is the file has been downloaded. 

Reset-Both 2.JPG 

 

Here is Type sort the same way 

Reset-Both 4.JPG

 

Here is Bytes sorted the same way too

Reset-Both 5.JPG

 

Also when I look at the Destination area you can see that all is file out expected the Victim Name

Reset-Both 3.JPG

 

Help with understanding all this please. 

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Palo performs stream based antivirus.

If it find virus inside file while it is passing by it will reset connection.

Even if client received beginning of file it is not an issue - until whole file was not transferred it will not be executed.

You can check Data Filtering log if this session transferred any file through firewall.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

as @Raido_Rattameister mentions, the firewall does not proxy connections, but instead allows packets to flow through and scans them for behavior and threats as they pass through. If abnormalities or threats are detected, the flow will be interrupted or corrective action is taken, depending on the need (eg. threats are dropped/reset, while url filtering is injected with a redirect to a block page etc..)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

First sorry Raido I did not see you post something here.

Thank you for the information. 

I did check the Data Filtering log I see action was allow, this traffic was filter but allow here.

But since there was a reset-both action that means the file got reset on both sides so no one got infected file on there computer right ?

 

  • 5641 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!