08-24-2023 10:41 AM
Hello LiveCommunity,
I have a, hopefully, quick question regarding traffic log entries and packet counts.
What if: there is a security policy which has the action set to "Deny" and the application to traceroute (or anything else but the "send ICMP unreachable" box is ticked); when a packet is received that matches this "Deny" policy and the firewall sends the unreachable, will I see 1 packet received and 1 packet sent in the traffic log? Or to re-phrase: does the "ICMP unreachable" packet that is sent by the firewall appear in the logs/counted as a session-related packet?
Thanks for your answer!
08-25-2023 05:39 AM
I would think so but not entirely sure. What are you looking to achieve with this information? Something to note as well, some traffic can still be passed on a deny rule if application identification is needed to make a policy decision.
08-25-2023 05:47 AM
I'm just curious as I don't really know the exact answer. I know that PAN-OS for certain apps in needs more than one packet. But will the firewall's "ICMP unreachable" packet appear in the packets sent column? So, A sends a ping to B but the firewall denies the traffic based on src IP + dst IP (doesn't even matter the app); the send "ICMP Unreachable" option is ticked - so in the traffic log I'll see that A sent 1 packet: will I also see that it received 1?
I don't know how clear what I'm trying to ask, sorry for that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
