Saucepan

User Tools

Site Tools

Trace: firewall-hardware bad_session_end zone_protection url_override response_pages master_key qos useful_security_policies edl set_configuration
paloaltonetworks:logs:bad_session_end

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:logs:bad_session_end [2020/05/18 15:21] bstaffordpaloaltonetworks:logs:bad_session_end [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Application Logs on Bad Session End ====== ====== Application Logs on Bad Session End ======
  
-===== Incomplete =====+===== incomplete =====
 Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic being seen is not really an application. Incomplete means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic being seen is not really an application.
    
 For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete. For example, if a client sends a server a syn and the Palo Alto Networks device creates a session for that syn, but the server never sends a SYN ACK back to the client, then that session is incomplete.
    
-===== Insufficient Data =====+===== insufficient data =====
 Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log. Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log.
    
Line 18: Line 18:
 Unknown-p2p matches generic P2P heuristics. Unknown-p2p matches generic P2P heuristics.
    
-===== Not-applicable =====+===== not-applicable =====
 Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service. Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service.
 For example, if there was only one rule on the Palo Alto device and that rule allowed the application of web-browsing only on port/service 80, and traffic (web-browsing or any other application) is sent to the Palo Alto device on any other port/service besides 80, then the traffic is discarded or dropped and you'll see sessions with "not-applicable" in the application field. For example, if there was only one rule on the Palo Alto device and that rule allowed the application of web-browsing only on port/service 80, and traffic (web-browsing or any other application) is sent to the Palo Alto device on any other port/service besides 80, then the traffic is discarded or dropped and you'll see sessions with "not-applicable" in the application field.
paloaltonetworks/logs/bad_session_end.1589815272.txt.gz · Last modified: (external edit)