- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-29-2017 09:55 PM
2017/06/07 10:40:02,TRAFFIC,end,10.100.28.51,183.61.xxx.xxx,Inside-to-Outside,15523xxx,,non-syn-tcp,80,tcp,allow,384,384,0,7,2017/06/07 10:36:53,any,6469463962,0x0,10.0.0.0-10.255.255.255,0,0,from-policy 1 "ReceiveTime" = 2017/06/07 10:40:02, 2 "Type" = TRAFFIC 3 "ThreatContentType" = end 4 "SourceAddress" = 10.100.28.51 5 "DestinationAddress" = 183.61.xxx.xxx 6 "Rule" = Inside-to-Outside 7 "SourceUser" = 15523xxx 8 "DestinationUser" = - 9 "Application" = non-syn-tcp 10 "DestinationPort" = 80 11 "IPProtocol" = tcp 12 "Action" = allow 13 "URL" = 384 14 "ThreatContentName" = 384 15 "Category" = 0 16 "Reportid" = 7 17 "Severity" = 2017/06/07 10:36:53 18 "Seqno" =any 19"SourceCountry" 6469463962 20"DestinationCountry" =0x0 21"Content" = 10.0.0.0-10.255.255.255 22"ContentType" = 0 23"Filetype" =0 24"Recipient" = from-police
i have a log paloalto, but I do not understand some of the intent of the contents of the log. can i explain what is the purpose of url = 384 , ThreatContentName = 384, Category=0,Reportid=7, Severity = 2017/06/07 10:36:53, Recipient = from police.
is there a paper, documentation or something that discusses it?
10-02-2017 01:44 AM
Is it possible a collumn was shifted and this is actually the byte count? what is shown in the GUI if you open the detailed view of this log?
Normally 'from-policy' should be located in the collumn 'action_source' (meaning 'who decided what to do with this session'), so I believe your log collumns are incorrect
secondly: The log is regarding a non-syn-tcp packet. This type of packet is normally discarded as it is not part of a normal session and can be malicious. In this case it is being allowed through so it appears you have a manual override in place to temporarily allow these packets.
I'd recommend re-enabling the tcp check to drop these types of packets
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!