01-30-2023 08:08 AM
I have a problem in paloalto and is that I see that a particular rule increases hits but does not show the traffic in the logs, however, everything is configured to see it, if I see, the start and end of sessions but in the Fortigate in front of me I see much more traffic with that particular origin and destination. any help?
01-30-2023 02:12 PM
- Does your firewall have active support licenses? Is VM-Series firewall or an appliance?
- Are you completely sure that "log at start" is indeed enabled?
- Does this firewall managed by Panorama? Where do you search the logs, locally on the firewall or on the Panorama?
On top of my head I can think of three possible reasons:
- Firewall is VM without active license. In that case firewall operates with limited functionalities. Without active license VM firewall will never create traffic log. It may increase the rule hit count, you could still see the session in session table (in real time), but no log will be generated.
- Rule is configured with "log at end" only. Which means that this rule initially hit, which increases rule hit count, but at some point firewall have gather more information from the forwarded traffic which have caused application shift or URL was detected. Something that have made this session no longer matching this rule. In that case firewall will perform another policy lookup and select different rule. So when the session is closed it will be logged under the rule name from the last policy lookup
- Firewall is managed by Panorama, but no Log Forwarding profile is assigned to the rule. If admin is looking at Panorama it may see rule is being hit, but since no logs are forwarded from firewall to Panorama, you will not see any traffic log. You should be able to see them if check traffic logs locally on the firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!