On PA-500 with PAN-OS 4.0.7, I have seen a session on dashboard-top application-last hour, but in corresponding ACC and in Monitor Traffic Log I don't find a record session. There is any reason ? Thanks
I searched for it by a filter in traffic monitor as (app eq bittorrent). But today I found a similar problem with another app: sip, with only 4 session displayed on top-appl on dashboard and no records in ACC and in traffic monitor. I attach some screenshots from dashboard, ACC and monitor traffic.
I assume you simply clicked on the sip area in the "top applications" in dashboard and ended up in the second screenshot?
My first thought then was that you would need to modify "Time" (which is currently Last Hour) but the top applications in dashboard is also regarding last hour so that shouldnt matter.
Can you verify that you in your security rules have enabled logging (this is made per security rule, you would also need to add a default deny in the end and configure that to log aswell since the "hidden" last rule (not visible in GUI) which does default deny have logging turned off)?
As a debug enable logging for both session start and session end (later in production you would normally just need logging on session end (if you want to keep logvolumes down) because then you get additional info such as session length and datavolume transmitted which session start lacks).
I think you need to have logging enabled in your security rules for the traffic to show up in the traffic log.
However the ACC shouldnt be empty...
I guess you have already verified that your PAN box have downloaded the latest app-db and such (and you also commited after the download)?
Also is it possible for you to update to latest 4.1.x (I think its currently 4.1.4 or so) just to rule out any known bugs?
I have done troubleshooting of the ghost sessions and I found this:
What do you think about ?
"is this behaviour dependent on the enabled logging in the security policy ?"
Yes, Just like URL filtering.. it cannot report upon something unless you are logging the traffic inside of a security policy.
Also, if traffic same zone to same zone, it will also not report and will be allowed by default.. but you prob already knew that one.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!