For details on cookie usage on our site, read our Privacy Policy
Policy action is allow, but session-end-reason is "policy-deny" PAN 8.1.12
- LIVEcommunity
- Discussions
- General Topics
- Policy action is allow, but session-end-reason is "policy-deny" PAN 8.1.12
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Policy action is allow, but session-end-reason is "policy-deny" PAN 8.1.12
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-31-2020 10:35 PM
Hi, All
The action of security policy is set to allow, but session-end-reason is shown as "policy-deny" in traffic monitor.
The PAN-OS version is 8.1.12 and SSL decryption is enabled.
Could someone please explain this to me?
If you need more information, please let me know.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-01-2020 04:22 AM
there's several layers where sessions are inspected and where a poliy decission can be taken to drop connections
The session is first processed at layer 3 where it is allowed or denied based on source/destination IP, source/destination zone and destination port and protocol. Once a connection is allowed based on the 6tuple, the traffic log will be an allow action, but the session may later be dropped due to an expired certificate (if ssl decryption is enabled) or an application switch or a threat profile that simply drops the connection
at the far-left of the log entry there's a log details icon that will show you more details and any related logs. this may shed some light on the reason for the session to get ended
PANgurus - (co)managed services and consultancy
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2020 10:21 PM
Hi,
Thank you for your reply.
I checked the detailed log and found that the destination address is https://api.snapcraft.io, and the certificate of this address is not expired but normal.
And there were no blocked or denied sessions in the threat log.
Is there anything else I need to check?
Thanks in advance.
/STHONG
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-29-2022 12:41 AM
Hi,
We are facing something similar.
A client trying to access from the internet side to our website and our FW for some reason deny the traffic.
This happens only to one client while all other clients able to access the site normally.
we also see a traffic log with action ALLOW and session end reason POLICY-DENY.
In the rule we only have VP profile but we don't see any threat log.
we did see from the output of the command "show counter global filter delta yes packet-filter yes severity drop":
flow_acion_close >> TCP sessions closed via injecting RST.
we ran a flow basic debug:
== 2022-12-28 14:15:30.994 +0200 ==
Packet received at ingress stage, tag 0, type ORDERED
Packet info: len 70 port 82 interface 129 vsys 1
wqe index 544734 packet 0x0x80000003942f40f8, HA: 0, IC: 0
Packet decoded dump:
L2: 2c:b6:93:56:07:00->b4:0c:25:e0:40:11, VLAN 3010 (0x8100 0x0bc2), type 0x0800
IP: Client-IP->Server-IP, protocol 6
version 4, ihl 5, tos 0x08, len 52,
id 19914, frag_off 0x4000, ttl 119, checksum 1599(0x63f)
TCP: sport 58420, dport 443, seq 4187513754, ack 0,
reserved 0, offset 8, window 64240, checksum 33105,
flags 0x02 ( SYN), urgent data 0, l4 data len 0
TCP option:
CP-DENY TCP non data packet getting through
Forwarding lookup, ingress interface 129
L3 mode, virtual-router 1
Route lookup in virtual-router 1, IP Server-IP
Route found, interface ae1.89, zone 5
Resolve ARP for IP Server-IP on interface ae1.89
ARP entry found on interface 190
Transmit packet size 52 on port 16
== 2022-12-28 14:15:30.959 +0200 ==
Packet received at fastpath stage, tag 548459, type ATOMIC
Packet info: len 70 port 80 interface 190 vsys 1
wqe index 545439 packet 0x0x80000003940430e4, HA: 0, IC: 0
Packet decoded dump:
L2: 00:94:a1:56:25:8a->b4:0c:25:e0:40:10, VLAN 89 (0x8100 0x0059), type 0x0800
IP: Server-IP->Client-IP, protocol 6
version 4, ihl 5, tos 0x00, len 52,
id 37496, frag_off 0x4000, ttl 255, checksum 14744(0x3998)
TCP: sport 443, dport 58417, seq 1707377135, ack 3880782354,
reserved 0, offset 8, window 14520, checksum 51352,
flags 0x12 ( SYN ACK), urgent data 0, l4 data len 0
TCP option:
00000000: 02 04 05 b4 01 03 03 02 04 02 00 00 ........ ....
Flow fastpath, session 548459 s2c (set work 0x800000038f346e80 exclude_video 0 from sp 0x80000002aa7d5e80 exclude_video 0)
* Dos Profile NULL (NO) Index (0/0) *
Syn Cookie: pan_reass(Init statete): c2s:1 c2s:nxtseq 3880782354 c2s:startseq 3880782354 c2s:win 14520 c2s:st 3 c2s:newsyn 0 :: s2c:nxtseq 1707377136 s2c:startseq 1707377136 s2c
:win 64240 s2c:st 3 s2c:newsyn 0 ack 3880782354 nosyn 0 plen 0
CP-DENY TCP non data packet getting through
Forwarding lookup, ingress interface 190
L3 mode, virtual-router 1
Route lookup in virtual-router 1, IP Client-IP
Route found, interface ae2.3010, zone 6, nexthop LinkProof-Float
Resolve ARP for IP LinkProof-Float on interface ae2.3010
ARP entry found on interface 129
Transmit packet size 52 on port 17
Any advice on what might be the reason for the traffic being dropped?
- Server got rebooted due to Memory Dump issue in Cortex XDR Discussions
- Advanced threat protection_Deep Learning in Next-Generation Firewall Discussions
- Video Demo on Proactive Best Practices Analyzer feature in AIOps in AIOps for NGFW Discussions
- URL Filtering log with action allow in General Topics
- Global Protect in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
