About HULK

HULK · ‎07-24-2014

As Hardik said, you need to close the browser or connection to generate traffic logs ( assuming that, you have only enabled "log at session end" on security policy). Otherwise, it will keep the session active till default session timeout value. Default timeout values are given below: Session timeout TCP default timeout: 3600 secs TCP session timeout before SYN-ACK received: 5 secs TCP session timeout before 3-way handshaking: 10 secs TCP session timeout after FIN/RST: 30 secs UDP default timeout: 30 secs ICMP default timeout: 6 secs other IP default timeout: 30 secs Captive Portal session timeout: 30 secs Session timeout in discard state: TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs Hope this helps. Thanks

HULK · ‎07-24-2014

Otherway, if there is an Active session exist on the firewall, you may grab the session ID and see detailed info as mentioned below: > show session all filter source x.x.x.x destination y.y.y.y 9936 dns ACTIVE FLOW NS 100.100.100.1[53621]/trust-L3/17 (1.1.1.2[43506]) vsys1 8.8.8.4[53]/untrust-L3 (8.8.8.4[53]) admin@31-PA-3020> show session id 9936 Session 9936 c2s flow: source: 100.100.100.1 [trust-L3] dst: 8.8.8.4 proto: 17 sport: 53621 dport: 53 state: ACTIVE type: FLOW src user: plano2003\csharma >>>>>>>>>>>>>>> Source User dst user: unknown s2c flow: source: 8.8.8.4 [untrust-L3] dst: 1.1.1.2 proto: 17 sport: 53 dport: 43506 state: ACTIVE type: FLOW src user: unknown dst user: plano2003\csharma start time : Thu Jul 24 12:33:04 2014 timeout : 30 sec time to live : 12 sec total byte count(c2s) : 240 total byte count(s2c) : 0 layer7 packet count(c2s) : 3 layer7 packet count(s2c) : 0 vsys : vsys1 application : dns rule : trust-to-untrust >>>>>>> Security rule session to be logged at end : True session in session ager : True session synced from HA peer : False address/port translation : source + destination nat-rule : nat-inside-2-outside(vsys1) >>>>>>>>>>>>>> NAT policy name layer7 processing : enabled URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : False session traverses tunnel : True captive portal session : False ingress interface : tunnel.1 >>>>>>>>>>>>>> Incoming interface egress interface : ethernet1/3 >>>>>>>>>>>>>>>> Outgoing interface session QoS rule : N/A (class 4) Thanks

HULK · ‎07-24-2014

Related doc: Session Log Best Practice Thanks

HULK · ‎07-24-2014

Hello Satish, If you want to see logs for troubleshooting/monitoring purpose, then Monitor >logs will help you for the same. You may also check ACC report for all traffic/threat related activity. To generate logs report for audit/database/analysis, follow mentioned discussion: Reports Thanks

HULK · ‎07-24-2014

What log settings are enabled in the security-policy: Thanks

HULK · ‎07-24-2014

Hello Satish, Are you unable to see logs under Monitor > traffic....? You may check with below mentioned CLI command, to confirm that the PAN firewall is generating traffic logs: admin@31-PA-3020> debug log-receiver statistics Example: Logging statistics ------------------------------ ----------- Log incoming rate: 2/sec Log written rate: 2/sec >>>>>>>>>>>>>>>>>>>>> Corrupted packets: 0 Corrupted URL packets: 0 Logs discarded (queue full): 0 Traffic logs written: 504023 URL logs written: 2133 Wildfire logs written: 0 Anti-virus logs written: 0 Spyware logs written: 5009 Attack logs written: 0 Vulnerability logs written: 36 Fileext logs written: 69 URL cache age out count: 1826 URL cache full count: 0 URL cache key exist count: 0 Traffic alarms dropped due to sysd write failures: 0 Traffic alarms dropped due to global rate limiting: 0 Traffic alarms dropped due to each source rate limiting: 0 Traffic alarms generated count: 0 >>>>>>>>>>>>>>>>>>>>>>>> Log Forward count: 0 Log Forward discarded (queue full) count: 0 Log Forward discarded (send error) count: 0 Summary Statistics: Num current drop entries in trsum:0 Num cumulative drop entries in trsum:0 Num current drop entries in thsum:0 Num cumulative drop entries in thsum:0 External Forwarding stats: Type Enqueue Count Send Count Drop Count Queue Depth Send Rate(last 1min) syslog 511369 511368 1 0 0 snmp 0 0 0 0 0 email 0 0 0 0 0 raw 511369 511369 0 0 0 Thanks

HULK · ‎07-24-2014

Hello Infotech, You can create this report under GUI Monitor > Manage Custom Reports. Database- Traffic summary Time Frame: as required Selected columns: Add Source zone ( tunnel zone), Destination zone, (other required parameter want to be displayed in the report) >> Click into "run now" and save it as PDF/CSV/XML. Thanks

HULK · ‎07-24-2014

Hello Infotech, If GP tunnel has assigned a separate security zone, You may run a "custom report". Thanks

HULK · ‎07-24-2014

Hello Dan, It looks like, previously you have posted a similar query on this discussion forum, but still that is not answered. ( Cisco ISE Regex). In this situation, I would request you to consult with your Palo Alto SE for more relevant information. Thanks

HULK · ‎07-24-2014

Example: Note: If the trafic coming from a Private subnets, you may see Ip address in the source address column. Thanks

HULK · ‎07-24-2014

Hello Hartkently, You could check the current throughput of the PAN firewall with below mentioned CLI command: > show system statistics session >>>>>>>>>>>>>>>>>>>> It will show you the current session statistics ( throughput) Device is up : 6 days 5 hours 5 mins 25 sec Packet rate : 52/s Throughput : 302 Kbps >>>>>>>>>>>> Runtime value Total active sessions : 5 Active TCP sessions : 0 Active UDP sessions : 5 Active ICMP sessions : 0 Let me know,if this is what you are looking for. Thanks

HULK · ‎07-23-2014

You may get related information from mentioned link: Product Selection Thanks

HULK · ‎07-23-2014

Hello Slv, For all predefined applications, you need not to have a decryption in place. The Palo Alto should automatically detect the signature and you have to allow it's dependent application. Thanks

HULK · ‎07-23-2014

Palo ALto firewall is having multiple layer of security, if you do not have a valid URL filtering license, you may configure a security policy base on application to block facebook and gtalk traffic. Hope this helps. Thanks

HULK · ‎07-23-2014

Hello Satish, You can block traffic according to Application i.e facebook, gtalk . Thanks

Member Since	‎02-23-2013 04:45 PM
Date Last Visited	‎11-12-2025 02:10 PM
Posts	1,664
Total Likes Received	575

Online Status	Offline
Date Last Visited	‎11-12-2025 02:10 PM

About HULK

Re: IPSec tunnel and virtual desktop

Re: IPSec tunnel and virtual desktop

Re: session_end_reason eq decrypt-error

Re: Clarification around URL Filtering licenses

Re: VPN Palo Alto - Microsoft Azure. Slow transfer. Not reaching internet by this tunnel.

Re: masterd: restart exhausted, rebooting system | Palo Alto's process

Re: Block streaming media for sports only

Re: masterd: restart exhausted, rebooting system | Palo Alto's process

Re: Blocking LinkedIn-Publish A Post

Re: HA Upgrade

Re: Adding ping/icmp as a service, or configure "Application Default" under service

Re: Blocking page for https traffic

Re: tcpdump like packet capture on PA

Re: nslookup on the management port ?

Re: How to import Certificate using CLI?

Re: How to Clear Disk Space/reduce disk usage

Re: How to notice network admin if someone tries to browse certain websites?

Re: How do I enter multiple hosts to the destination field on the CLI

Re: NAT Rules Log / Highlight Unused Rules

Re: Dynamic Update Issue?

Re: traffic logs

Re: LOGS

Re: LOGS

Re: LOGS

Re: traffic logs

Re: traffic logs

Re: Remove access report

Re: Remove access report

Re: Challenge with Cisco ISE (Identity Service Engine) Integration for user-id mapping

Re: Reports

Re: How do you verify the threat prevention throughput?

Re: How do you verify the threat prevention throughput?

Re: App blocking

Re: App blocking

Re: App blocking

Unlock your full community experience!

About HULK