06-25-2013 08:44 AM
heyy
i tried to troubleshoot some traffic behaviuor, an i created a rull without any security profile and with application overide.
when i run those commands to look at the traffic i found this.
admin@PA-500> show session all filter destination 147.235.246.154
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
19110 Jumbomail ACTIVE FLOW 192.168.1.149[58525]/trust/6 (192.168.1.149[58525])
vsys1 147.235.246.154[80]/untrust (147.235.246.154[80])
8439 Jumbomail ACTIVE FLOW 192.168.1.149[58524]/trust/6 (192.168.1.149[58524])
vsys1 147.235.246.154[80]/untrust (147.235.246.154[80])
admin@PA-500>
admin@PA-500>
admin@PA-500> show session id 8439
Session 8439
c2s flow:
source: 192.168.1.149 [trust]
dst: 147.235.246.154
proto: 6
sport: 58524 dport: 80
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 147.235.246.154 [untrust]
dst: 192.168.1.149
proto: 6
sport: 80 dport: 58524
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Jun 25 18:06:37 2013
timeout : 3600 sec
time to live : 3584 sec
total byte count(c2s) : 670
total byte count(s2c) : 122
layer7 packet count(c2s) : 3
layer7 packet count(s2c) : 2
vsys : vsys1
application : Jumbomail
rule : rule1
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
layer7 processing : completed
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
session tracker stage l7proc : fastpath state none
admin@PA-500> show session id 19110
Session 19110
c2s flow:
source: 192.168.1.149 [trust]
dst: 147.235.246.154
proto: 6
sport: 58525 dport: 80
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 147.235.246.154 [untrust]
dst: 192.168.1.149
proto: 6
sport: 80 dport: 58525
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Jun 25 18:06:37 2013
timeout : 30 sec
time to live : 17 sec
total byte count(c2s) : 242
total byte count(s2c) : 122
layer7 packet count(c2s) : 4
layer7 packet count(s2c) : 2
vsys : vsys1
application : Jumbomail
rule : rule1
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
layer7 processing : completed
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
session tracker stage l7proc : fastpath state none
admin@PA-500>
-------------------------------------------------------------------------------------------
why is the output as follow:
URL filtering enabled : True
thanks
dor
06-25-2013 10:17 AM
admin@PA-500# show rulebase security rules rule1
rule1 {
option {
disable-server-response-inspection no;
}
from trust;
to untrust;
source Mgmt_Terminal;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
log-start no;
log-end yes;
negate-source no;
negate-destination no;
tag Internet;
disabled no;
}
06-25-2013 10:26 AM
when you disable the app override do you see the same for that sessions
06-25-2013 10:42 AM
admin@PA-500> show session id 24387
Session 24387
c2s flow:
source: 192.168.1.149 [trust]
dst: 147.235.246.154
proto: 6
sport: 62834 dport: 80
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 147.235.246.154 [untrust]
dst: 192.168.1.149
proto: 6
sport: 80 dport: 62834
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Jun 25 20:41:31 2013
timeout : 30 sec
time to live : 23 sec
total byte count(c2s) : 1463
total byte count(s2c) : 946
layer7 packet count(c2s) : 6
layer7 packet count(s2c) : 6
vsys : vsys1
application : web-browsing
rule : rule1
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
layer7 processing : enabled
URL filtering enabled : True
URL category : reference-and-research
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
admin@PA-500>
i have one rule that i use a custome URL category to match the rule maby it is because this rule?
06-25-2013 10:58 AM
delete that rule temporary you should see url filtering enabled False
that is why you see enabled
already replicated
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
