04-24-2020 08:17 AM
Does PAN OS has a feature to calculate session age for any active session ? In particular looking from SOC point of view if they want to monitor long time period active sessions used by attackers to compromise security.
I am not looking for session timeout or reasons for that, but a life span of active session running.
04-25-2020 10:28 AM
Hello,
I hope I understand your question correctly. You can look at the Session browser to see active sessions. This should be the info you are looking for.
Regards,
04-26-2020 01:16 AM
As @OtakarKlier said, this information is in the Session Browser in the GUI or the CLI. I would recommend writing a script that pulls the session table from the API and searches for any sessions that breach your SOCs criteria for investigation.
04-29-2020 11:35 AM
Thanks @BPry, @OtakarKlier
I am looking for end time of session, Traffic & session browser log gives the start time of connection but if the session is ended or end time is not determined. I think the reason is the session state table removes any inactive sessions with announcing. Is there a way I can get session end time as well ?
04-29-2020 11:38 AM
Hello,
Set the policies to log at session end. It should do what you need.
Regards,
04-29-2020 12:17 PM
Log at session end in security policy helps in determining the final app-id as app goes through transformation, but not the session end time.
04-29-2020 12:20 PM
Actually that is its purpose, logs when the session ends.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
