12-31-2013 06:38 AM
Hi Pals,
I would like some second opinion on my observation reg. the option 'log at session start' and 'log at session end'. I have tried both options and at the same time monitor the generated traffic logs for each setting. This is my observation:
a) For log at session end, there is only one traffic log created for a session
b) For log at session start, it seemed that whenever there is a change in the App-ID within a session, a new log will be created. Eg. when visiting facebook, 2 logs were generated, one for web-browsing and anoher for facebook-base.
Anyone can comment on my observation?
Thanks
12-31-2013 07:46 AM
Lets say there was never an application shift, even in this case there will be two logs for the same session id. This is because the firewall does a security policy look up to allow the service first (i.e the SYN in a TCP session ), since this is the start of the session a log will be generated for this. Once the application is identified and session is closed the log at session end will generate a traffic log for this. Form a information POV the log at session end will have more info than log at session start in terms of number of bytes sent in C2S and S2C flow. You'll end up with duplicate logs for the same session. In which one is more useful than the other based on the issue you are troubleshooting.
Regards,
Deepak
12-31-2013 07:24 AM
Hello Suhaimi,
Your observation is an expected behavior.As the name suggests log at session end option tags a session at it's very beginning and generates a log for it.Now the second log you see (facebook-base in your case) is created at session end.
Hope this helps.
Yashwanth
12-31-2013 07:26 AM
Hello,
I believe you are seeing that because the app id change triggers the session to do a security policy look up. Though the session id remains the same the firewall will write a new log when you say log at session and the security policy look up is done due to application shift.
I hope that explains the behavior you are seeing, also the option log at session start is recommended for troubleshooting purposes only. Enabling log at session start option will force the firewall to log the same session twice (Duplicate logs), logging is resource intensive
process and can have significant performance degradation strictly based on number of rules where this option is enable and the number of sessions hitting those rules.
Regards,
Deepak
12-31-2013 07:31 AM
Hello Deepak,
Thanks for the reply. When you mention that log at session start will "force the firewall to log the same session twice (Duplicate logs)", are you referring to the same log being repeated twice or 2 different logs with different app-id?
Thanks
12-31-2013 07:46 AM
Lets say there was never an application shift, even in this case there will be two logs for the same session id. This is because the firewall does a security policy look up to allow the service first (i.e the SYN in a TCP session ), since this is the start of the session a log will be generated for this. Once the application is identified and session is closed the log at session end will generate a traffic log for this. Form a information POV the log at session end will have more info than log at session start in terms of number of bytes sent in C2S and S2C flow. You'll end up with duplicate logs for the same session. In which one is more useful than the other based on the issue you are troubleshooting.
Regards,
Deepak
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
