Disabled policy rules

Reply
Highlighted
L4 Transporter

Disabled policy rules

Hi,

 

Under monitoring , still disabled policy rules matching to some some session .
And the session status are most of them 'incomplete' .
Why ?
Thanks

Highlighted
L7 Applicator

This article gives the full definitions for incomplete status.  Basically, there is either not a full tcp handshake or not enough data to identify the flow.

 

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L3 Networker

Are you saying traffic is matching disabled rules?

Highlighted
L7 Applicator

disabled rules are not active in the system, this can be seen through the following command:

 

> show running security-policy

If the disabled rule is at the bottom of the policy it could be that the incomplete session "hits" these for logging purposes

 

What happens is that the system accepts a syn packet and starts building up a session once the syn packet is allowed to pass throught

If then the session is disrupted, the process of properly building the session and matching an appropriate App-ID and security policy fails and the session is discarded. The system then will still create a log entry and will need to have a 'rule' but since the session was disrupted before a security  policy was properly matched, it will not have a proper security policy to add to the log. it can either use a security policy that was matched for the initial handshake, or if it matched an implied rule, one of the last rules in the policy.

 

 

tom

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!