"end" but no "start" log while session breakdown. logging set to start and end of session

cancel
Showing results for 
Search instead for 
Did you mean: 

"end" but no "start" log while session breakdown. logging set to start and end of session

L0 Member

Hello, we have the following issue:

 

Customer complains, that their web services, that are reachable from the internet through a palo alto firewall, show sporadic breakdown of incoming ssl connections for a couple of minutes. After analyzing the logs on the palo alto, I see in the corresponding time frame log entries with type session "end", but no corresponding logs for session "start". I verified this by filtering on the session ID. The amount of logs with session "start" on the concerned services is very low to zero in the disrupted time frame, but there are numerous with "end" (without start). 

 

The policy was set to logging at start and at the end of the session, and it seems, that this phenomenon occurs only in relation to the issue with the sporadic breakdown of incoming sessions. The issue affects only certain services.

 

Any ideas as to the cause?

PA-5250, PanOS 10.1.5-h1

 

Many thanks in advance / Best regards

Hakan

3 REPLIES 3

L4 Transporter

Do you have "start" log enabled on all your rules or just the one rule you are investigating? Traffic can start in one rule, but later be recategorized to another rule when the Application/etc. is better matched.

This is very interesting. But actual, there is only one policy, allowing traffic to the specific destinations. The only alternative is the deny all policy. But since we are talking about a connection that has to be started at a certain point in time, it can only be the specific rule in my opinion. But yes, we enabled the "start" log only on this specific policy for debugging the issue with the missing connections on the webserver.

L4 Transporter

There are 2 default policies: intrazone-default - Allow and interzone-default - Deny, which do not log by default. You can change these to log by selecting the policy and then hitting the "Override" button at the bottom to unlock, then change the logging on the policy.

 

You say you only have one policy to the specific destinations, but you may have a different policy that also allows an initial connection. Remember, PaloAlto security policies work on a "best match" basis, not an order of policy list (like most other firewalls). Something that is not identified/misidentified as one protocol at the vary start of the connection may go thru one policy, only to be recategorized to a different policy when better identified.

 

Try checking which policies may match using the "Test Policy Match" link at the bottom of the Policies - Security tab. Put only the minimum amount of information in that the PA would have at the start of a connection: source/dest addresses, dest port, and select the "show all possible match rules..." checkbox. Does you traffic possibly match another policy you weren't expecting?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!