01-09-2025 06:15 PM
Hi All,
Some weird stuff going on on our unit: what are the chances that the firewall logged traffic that it received hours ago?
In our case, the firewall logged RDP connections that occurred in the early morning. However, the target servers didn't log any login attempts at all. The alleged source IP of the connections was down during that period(although we are not ruling out that some other device "borrowed" the source IP).
What i also found odd is that we would normally see RDP TCP connections...the log entries in question are RDP UDP, and had "aged-out" as Session End Reason.
Is it possible that somehow, those connections were initiated hours earlier, then somehow our firewall logged it as having occured in the early morning?
01-09-2025 08:13 PM
Hi @itassetbenilde ,
Please verify the traffic log setting configuration, as logging is depends on security policy log setting configuration. Please refer the below kb for more details.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
