Bittorent session identification

Reply
Highlighted
L0 Member

Bittorent session identification

On PA-500 with PAN-OS 4.0.7, I have seen a session on dashboard-top application-last hour, but in corresponding ACC and in Monitor Traffic Log I don't find a record session. There is any reason ? Thanks

Tags (2)
Highlighted
L6 Presenter

Re: Bittorent session identification

How did you search for it in the traffic log?

Highlighted
L0 Member

Re: Bittorent session identification

I searched for it by a filter in traffic monitor as (app eq bittorrent). But today I found a similar problem with another app: sip, with only 4 session displayed on top-appl on dashboard and no records in ACC and in traffic monitor. I attach some screenshots from dashboard, ACC and monitor traffic.

Highlighted
L6 Presenter

Re: Bittorent session identification

I assume you simply clicked on the sip area in the "top applications" in dashboard and ended up in the second screenshot?

My first thought then was that you would need to modify "Time" (which is currently Last Hour) but the top applications in dashboard is also regarding last hour so that shouldnt matter.

Can you verify that you in your security rules have enabled logging (this is made per security rule, you would also need to add a default deny in the end and configure that to log aswell since the "hidden" last rule (not visible in GUI) which does default deny have logging turned off)?

As a debug enable logging for both session start and session end (later in production you would normally just need logging on session end (if you want to keep logvolumes down) because then you get additional info such as session length and datavolume transmitted which session start lacks).

I think you need to have logging enabled in your security rules for the traffic to show up in the traffic log.

However the ACC shouldnt be empty...

I guess you have already verified that your PAN box have downloaded the latest app-db and such (and you also commited after the download)?

Also is it possible for you to update to latest 4.1.x (I think its currently 4.1.4 or so) just to rule out any known bugs?

Highlighted
L0 Member

Re: Bittorent session identification

I have done troubleshooting of the ghost sessions and I found this:

  • the bittorent and sip traffic come in from the Internet zone to Internet zone (the reason of this is still unknown)
  • I didn't find records into traffic monitor because there wasn't any security policy that matched and logged that traffic
  • although the policy wasn't set, the dashboard showed that applications on the top-app, because there was a bit of traffic from Trust Zone to Internet Zone and then, in that circumstance, sip and bittorrent were top-app.
  • ACC anyway didn't show any record of sip and bittorrent within that time period (none in  last-hour, none in last-day,...) : is this behaviour dependent on the enabled logging in the security policy ?

What do you think about ?

Thanks

Highlighted
Community Team Member

Re: Bittorent session identification

You asked:

"is this behaviour dependent on the enabled logging in the security policy ?"

Answer:

Yes, Just like URL filtering.. it cannot report upon something unless you are logging the traffic inside of a security policy.

Also, if traffic same zone to same zone, it will also not report and will be allowed by default.. but you prob already knew that one.

Stay Secure,
Joe
End of line
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!