I have a VM-500 panos-8.1.18. I am seeing traffic logs with below flags
Session End Reason- policy-deny (means traffic denied as per policy)
Action -Allow ( how can action be allowed when traffic is denied via policy)
We also have ssl decryption enabled.
Thank you for posting question @InderjitSingh
I have seen the same in Traffic logs: ( session_end_reason eq policy-deny ) and ( action eq allow ) in the case when security policy had an action: Allow however this policy had an URL Filtering Profile with Site Access: Block.
Is the policy you are seeing in the log using any URL filtering?
Thank you for reply @InderjitSingh
When you click on Log Detailed View icon on far left side:
does it reveal more details in the bottom section for the reason of the deny?
Also, could you check in Traffic log: ( session_end_reason eq decrypt-error ) or ( session_end_reason eq decrypt-unsupport-param) for any decryption errors related to this traffic?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!