New Feature request or ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New Feature request or ?

L4 Transporter

Hi

 

I would like to have apolicy that just logs and does nothing else - ie the packet keeps getting evaluated.

 

some times I want to know there is packet there but not process it with that line.

 

Can this be done already ?

9 REPLIES 9

Community Team Member

Hi @Alex_Samad,

 

Policies are always evaluated. 

I'm guessing you're looking for a tap interface :

 

https://live.paloaltonetworks.com/t5/Community-Blog/What-s-a-TAP-interface-and-what-can-it-do/ba-p/1...

 

If this isn't what you're looking for then I'd recommend filing a feature request.

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L7 Applicator

@Alex_Samad wrote:

some times I want to know there is packet there but not process it with that line.


What do you mean exactly with that?

As @kiwi already wrote a TAP interface or a simple any any allow policy with an application override rule may be something for you...

L4 Transporter

Don't think i have worded it properly.

 

I want to add a policy say at the top that does match but doesn't allow the packet - just matches and say marks it or logs it . but then the packet/ stream still get evaluated later.

 

 

Logging every new packet will likely flood you with logs that aren't really valuable, but you can do it. For each policy that will be evaluated, select "Log at session start" under the Actions tab in the security rule. 

 

Every single new packet that gets installed as a new session will be logged before the rules themselves are processed. This will increase the load on the management plane, because of the extra logging. It will also reduce the number of completed logs you can store, since you're effectively logging everything twice. 

 

What problem are you trying to solve? Maybe your use case will help the community understand the goal, and get you there without using the policy approach you're attempting.

Sorry that seems a but silly I already log all polices so currently each packet creates 1 log entry. so if I wasn stupid and added any any log then I would double the amount of logging.

 

 

sorry what extra logging.  each packet is processed as it is already

 

For example in iptables I can have chains that process lines and just log them. so lets say I want to see all the packets from a specif host that meet a specific criteria. but I don't want to allow it I just want to register it in the logs and then have the normal process of the rules happen

 

A

Lets say for example I want to capture all traffic from a specific location to a specific dest.. but I don't want the rule to allow, just to log. I would place this at the top of the policies 

Community Team Member

@Alex_Samad,

 

Not possible in the way you're describing it as far as I know.  The rule will always be evaluated as per the action you configured on it.

 

I'd use the TAP solution as proposed earlier or a 3rd party solution like SNORT could maybe help you.

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Yep I understand its not possible now. 

 

Thats why i raised this.  the action could be to continue and log ?

 

But I get the impression its not something people might want 🙂

 

Community Team Member

@Alex_Samad,

 

I can see how this can be usefull 🙂

 

It wouldn't hurt asking your local SE to file a feature request for this. 

If it gets enough votes then it might be added to a future release.

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 2904 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!