This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Traffic Log - What's the difference between the "Type" field and the "action" field

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Traffic Log - What's the difference between the "Type" field and the "action" field

rmeddane
L2 Linker

‎01-19-2024 01:30 PM

While investigating and navigating in the Traffic Log, I noticed for some traffic the Type is Drop and the Action is Deny, While in some traffic, the Type is Deny and the Action is Reset Both.

 

1.pngTraffic Log.png

 

The Security Policy Rule is configured with the Deny Action without Security Profiles.

 

2.png

 

How to explain this behavior in the Traffic Logs?

0 Likes Likes
3 REPLIES 3

msyeedrafiqi
L2 Linker

‎01-19-2024 01:38 PM

Type (type)
Specifies the type of log; value is TRAFFIC.
Threat/Content Type (subtype)
Subtype of traffic log; values are start, end, drop, and deny
 
  • Start—session started
 
  • End—session ended
 
  • Drop—session dropped before the application is identified and there is no rule that allows the session.
 
  • Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.
 
Action (action)
Action taken for the session; possible values are:
 
  • allow—session was allowed by policy
 
  • deny—session was denied by policy
 
  • drop—session was dropped silently
 
  • drop ICMP—session was silently dropped with an ICMP unreachable message to the host or application
 
  • reset both—session was terminated and a TCP reset is sent to both the sides of the connection
 
  • reset client—session was terminated and a TCP reset is sent to the client
 
  • reset server—session was terminated and a TCP reset is sent to the server
 
Zain
0 Likes Likes

rmeddane
L2 Linker
In response to msyeedrafiqi

‎01-19-2024 10:41 PM

I read it in the admin guide, but according to the log output: Why some traffic the Type is Drop and the Action is Deny, While in some traffic, the Type is Deny and the Action is Reset Both. While the security policy rule is configured with the action Deny.?

0 Likes Likes

msyeedrafiqi
L2 Linker

‎01-20-2024 07:28 AM - edited ‎01-20-2024 07:29 AM

This is also mentioned in the admin guide:

  • Drop—session dropped before the application is identified and there is no rule that allows the session.
 
  • Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.

    About the reset, The palo alto firewall only sends tcp reset if the traffic is identified as threat.

    About the reset both: I think it will happen during SSL forward proxy were the firewall intercept the tcp handshake and so it will sent tcp reset to the client and the server.
Zain
0 Likes Likes
  • 843 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks