Aged Out in allowed traffic logs

Reply
Highlighted
L1 Bithead

Aged Out in allowed traffic logs

Hi All,

 

I have a doubt regarding aged-out feature in palo alto firewall.

We are getting logs with allowed traffic towards different ports like port 23, 1433 etc.

The device action is allow and in reason aged-out.

 

I want to know that whether the traffic is really allowed or not. 

 

This is making too much confusion and kindly help me with this doubt.

 

And also how to find the allowed traffic in palo alto firewall.

 

Thanks and Regards,

Sameer Ahammed


Accepted Solutions
Highlighted
L2 Linker

Re: Aged Out in allowed traffic logs

This is the expected behaviour when the destination host does not reply to the specific session initiation.

Let's say that you see traffic going from host A to host B, passing through the firewall: A -> Fw -> B. The firewall is allowing the traffic from A to B (Action: allow), but no reply is going back from B to A, so the firewall can't see some "real" application and is telling you that it hasn't got enough data (Application Protocol: incomplete) and the session is being terminated for timeout (Reason: aged-out). Talking about causes, there might be many, but the most probable is that B does not expose the service A is asking for, and B's local firewall (not the PAN, the OS one) is set up not to reply for closed ports (IIRC this should be the default for Windows). To sum it up: A asks for a service, Fw lets the request pass, B drops it.

There might be other causes, asymmetrical routing being the worst one I'd say, i.e. B's reply for an open service goes on a different path, and this messes up things badly. Without further details we can't tell you more.

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: Aged Out in allowed traffic logs

@ahmdsmr,

If you see allow as the action then the traffic is being allowed through. This simply means the firewall didn't see a RST or FIN flag and the session aged off the session table. 

 

"I want to know that whether the traffic is really allowed or not." 

The traffic was allowed. However both telnet and SQl should be sending normal TCP communications and you shouldn't be seeing aged-out. Verify that your routing is actually configured correctly on the firewall. 

Highlighted
L1 Bithead

Re: Aged Out in allowed traffic logs

Thank You @BPry 

 

The scenario is, we are observing allowed traffic towards port 1433 from the logs and we got the policy in the firewall by which it is getting allowed from the logs.

 

But when we checked the policy in the firewall, we have not observed any service or application configured for allowing the same in the rule.

Here the device action is allowed and the reason is aged-out.

 

Kindly help me with this

 

Thanks and Regards,

Sameer Ahammed

Highlighted
Cyber Elite

Re: Aged Out in allowed traffic logs

@ahmdsmr,

Can you share the security policy configuration that the log says this traffic is matching. 

Highlighted
L1 Bithead

Re: Aged Out in allowed traffic logs

Hi @BPry

 

PFB table for the rule which is configured.

 

Destination Port: 1433

Device Action: allow

Reason: aged-out

SourceZone: Outside

DestinationZone: Outside

Rule Name: Outside-Inbound

Transport Protocol: TCP

Application Protocol: incomplete

 

This is from the logs.

 

Regards,

Sameer Ahammed

Highlighted
L2 Linker

Re: Aged Out in allowed traffic logs

This is the expected behaviour when the destination host does not reply to the specific session initiation.

Let's say that you see traffic going from host A to host B, passing through the firewall: A -> Fw -> B. The firewall is allowing the traffic from A to B (Action: allow), but no reply is going back from B to A, so the firewall can't see some "real" application and is telling you that it hasn't got enough data (Application Protocol: incomplete) and the session is being terminated for timeout (Reason: aged-out). Talking about causes, there might be many, but the most probable is that B does not expose the service A is asking for, and B's local firewall (not the PAN, the OS one) is set up not to reply for closed ports (IIRC this should be the default for Windows). To sum it up: A asks for a service, Fw lets the request pass, B drops it.

There might be other causes, asymmetrical routing being the worst one I'd say, i.e. B's reply for an open service goes on a different path, and this messes up things badly. Without further details we can't tell you more.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!