Traffic Log - What's the difference between the "Type" field and the "action" field

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traffic Log - What's the difference between the "Type" field and the "action" field

L2 Linker

While investigating and navigating in the Traffic Log, I noticed for some traffic the Type is Drop and the Action is Deny, While in some traffic, the Type is Deny and the Action is Reset Both.

 

1.pngTraffic Log.png

 

The Security Policy Rule is configured with the Deny Action without Security Profiles.

 

2.png

 

How to explain this behavior in the Traffic Logs?

3 REPLIES 3

L2 Linker
Type (type)
Specifies the type of log; value is TRAFFIC.
Threat/Content Type (subtype)
Subtype of traffic log; values are start, end, drop, and deny
 
  • Start—session started
 
  • End—session ended
 
  • Drop—session dropped before the application is identified and there is no rule that allows the session.
 
  • Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.
 
Action (action)
Action taken for the session; possible values are:
 
  • allow—session was allowed by policy
 
  • deny—session was denied by policy
 
  • drop—session was dropped silently
 
  • drop ICMP—session was silently dropped with an ICMP unreachable message to the host or application
 
  • reset both—session was terminated and a TCP reset is sent to both the sides of the connection
 
  • reset client—session was terminated and a TCP reset is sent to the client
 
  • reset server—session was terminated and a TCP reset is sent to the server
 
Zain

I read it in the admin guide, but according to the log output: Why some traffic the Type is Drop and the Action is Deny, While in some traffic, the Type is Deny and the Action is Reset Both. While the security policy rule is configured with the action Deny.?

L2 Linker

This is also mentioned in the admin guide:

  • Drop—session dropped before the application is identified and there is no rule that allows the session.
 
  • Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.

    About the reset, The palo alto firewall only sends tcp reset if the traffic is identified as threat.

    About the reset both: I think it will happen during SSL forward proxy were the firewall intercept the tcp handshake and so it will sent tcp reset to the client and the server.
Zain
  • 1199 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!