This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

getting traffic after the interface is down

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

getting traffic after the interface is down

FarhanKoujalgi
L3 Networker

‎07-23-2021 05:48 AM

Hey guys hope you doing well I got a question I get a challenge one of my user getting traffic logs of NetBIOS by source Pvt IP from LAN to WAN the device from the source side is down the 2 Pvt IP still hitting the cleanup rule. The Policy is denied by the firewall but why do the traffic logs show the two source IP which is down from that side. is that any command to clear cache or something please help. and In-application is NetBIOS-ns.

0 Likes Likes
4 REPLIES 4

BPry
Cyber Elite
Cyber Elite

‎07-23-2021 11:31 AM

@FarhanKoujalgi,

If you look at the detailed log information is the start_time actually associated with when these clients are known to be down? The logs are probably just session_end logs that are being generated after the firewall closes the session. 

0 Likes Likes

FarhanKoujalgi
L3 Networker
In response to BPry

‎07-23-2021 12:23 PM

Dear @BPry 

The interface from the source side is down so why am I getting logs of netbios hitting to deny rule 

I check the logs time by the time it's generated in a gap of 2 5 minutes.

if that side of a link is down then why the firewall show us a log of netbios

0 Likes Likes

FarhanKoujalgi
L3 Networker

‎07-23-2021 12:23 PM

The interface from the source side is down so why am I getting logs of netbios hitting to deny rule 

I check the logs time by the time it's generated in a gap of 2 5 minutes.

if that side of a link is down then why the firewall show us a log of netbios

0 Likes Likes

Remo
L7 Applicator
In response to FarhanKoujalgi

‎07-25-2021 09:48 AM

Is this a single firewall or a cluster? I agree it does not make sense that there are logs when the interdace is down, but did you really rule out any possibility of this? Was the interface effectively down or did it maybe come back already or at least for a short time? Did you check what @BPry asked for - check the detailed logs to see the start time? Is it possible that the start time was prior to the interface down? Was there maybe an application change in the connection - the firewall allowed a few packets, then the interface went down, then anwer packets reached the firewall wan side and them the firewall was able to see netbios so the connection was denied.

0 Likes Likes
  • 2518 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks