How to Identify If there was an allowed traffic from external suspicious IP in Panorama.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Identify If there was an allowed traffic from external suspicious IP in Panorama.

L0 Member

Hello All,

I'm a bit confused to understand the exact process. When monitoring the traffic from an external source ip (malicious one) and checking the logs in Pano see that session end reason was "tc-fin" and type was either "drop or end" with action being "allowed".

Does this mean that , traffic has been blocked by the firewall or dropped by the firewall ?
In what cases, can I come to know if the traffic is allowed and a session made by a external suspicious ip towards internal IP

Please help me in this clarification.

1 REPLY 1

Cyber Elite
Cyber Elite

tcp-fin means the session was graciously ended, which means the initial connection was allowed

 

a session that was blocked will have 'deny' or 'drop' in the action 

'end' in the type is an allowed session, 'drop' or'deny' in the type is a blocked session

 

can you please provide a screenshot of what you're seeing?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 765 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!