policy and security profiles

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

policy and security profiles

L4 Transporter

heyy

i tried to troubleshoot some traffic behaviuor, an i created a rull without any security profile and with application overide.

when i run those commands to look at the traffic i found this.

admin@PA-500> show session all filter destination 147.235.246.154

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

19110   Jumbomail      ACTIVE  FLOW       192.168.1.149[58525]/trust/6  (192.168.1.149[58525])

vsys1                                     147.235.246.154[80]/untrust  (147.235.246.154[80])

8439    Jumbomail      ACTIVE  FLOW       192.168.1.149[58524]/trust/6  (192.168.1.149[58524])

vsys1                                     147.235.246.154[80]/untrust  (147.235.246.154[80])

admin@PA-500>

admin@PA-500>

admin@PA-500> show session id 8439

Session            8439

        c2s flow:

                source:      192.168.1.149 [trust]

                dst:         147.235.246.154

                proto:       6

                sport:       58524           dport:      80

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      147.235.246.154 [untrust]

                dst:         192.168.1.149

                proto:       6

                sport:       80              dport:      58524

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Tue Jun 25 18:06:37 2013

        timeout                       : 3600 sec

        time to live                  : 3584 sec

        total byte count(c2s)         : 670

        total byte count(s2c)         : 122

        layer7 packet count(c2s)      : 3

        layer7 packet count(s2c)      : 2

        vsys                          : vsys1

        application                   : Jumbomail

        rule                          : rule1

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        layer7 processing             : completed

        URL filtering enabled         : True

        URL category                  : any

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)

        session tracker stage l7proc  : fastpath state none

admin@PA-500> show session id 19110

Session           19110

        c2s flow:

                source:      192.168.1.149 [trust]

                dst:         147.235.246.154

                proto:       6

                sport:       58525           dport:      80

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      147.235.246.154 [untrust]

                dst:         192.168.1.149

                proto:       6

                sport:       80              dport:      58525

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Tue Jun 25 18:06:37 2013

        timeout                       : 30 sec

        time to live                  : 17 sec

        total byte count(c2s)         : 242

        total byte count(s2c)         : 122

        layer7 packet count(c2s)      : 4

        layer7 packet count(s2c)      : 2

        vsys                          : vsys1

        application                   : Jumbomail

        rule                          : rule1

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        layer7 processing             : completed

        URL filtering enabled         : True

        URL category                  : any

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)

        session tracker stage l7proc  : fastpath state none

admin@PA-500>

-------------------------------------------------------------------------------------------

why is the output as follow:

URL filtering enabled         : True

thanks

dor

6 REPLIES 6

L6 Presenter

Can you type output of

show rulebase security rules rule1

in configure mode

L3 Networker

The URL filtering you are seeing in the session is for the URL category in the security policy itself under the service/URL category tab

admin@PA-500# show rulebase security rules rule1

rule1 {

  option {

    disable-server-response-inspection no;

  }

  from trust;

  to untrust;

  source Mgmt_Terminal;

  destination any;

  source-user any;

  category any;

  application any;

  service any;

  hip-profiles any;

  action allow;

  log-start no;

  log-end yes;

  negate-source no;

  negate-destination no;

  tag Internet;

  disabled no;

}

when you disable the app override do you see the same for that sessions

admin@PA-500> show session id 24387

Session           24387

        c2s flow:

                source:      192.168.1.149 [trust]

                dst:         147.235.246.154

                proto:       6

                sport:       62834           dport:      80

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      147.235.246.154 [untrust]

                dst:         192.168.1.149

                proto:       6

                sport:       80              dport:      62834

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Tue Jun 25 20:41:31 2013

        timeout                       : 30 sec

        time to live                  : 23 sec

        total byte count(c2s)         : 1463

        total byte count(s2c)         : 946

        layer7 packet count(c2s)      : 6

        layer7 packet count(s2c)      : 6

        vsys                          : vsys1

        application                   : web-browsing

        rule                          : rule1

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        layer7 processing             : enabled

        URL filtering enabled         : True

        URL category                  : reference-and-research

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)

admin@PA-500>

i have one rule that i use a custome URL category to match the rule maby it is because this rule?

delete that rule temporary you should see url filtering enabled False

that is why you see enabled

already replicated

  • 3326 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!