09-02-2013 06:03 AM
Hi,
When we look from traffic logs to a session detail and to same session from cli (show session id)
we see completely different information except for id(different source,destination,application etc..), I've seen this for many devices different times and different panos versions.When we have this issue how can we fix that except for deleting all logs.thanks
09-02-2013 07:34 AM
Session IDs are reused according to the device session capability. To check, you can use the CLI command "show session info". Here is an example from a PA-200:
Number of sessions supported: 65532
Number of active sessions: 1560
If you are looking at logs long enough after they were created, the session ID will have been reused. You can take a look at your average active session usage at peak times to get an idea of the maximum time you should expect the sessions to remain valid for future review. A PA-5060 used only in a lab may have weeks or months before the session IDs wrap, but that same firewall used in a full production environment close to capacity may see only a few hours before those IDs are reused.
Hope this helps,
Greg
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
