Palo Alto Firewall Traffic Logs Key Concepts
Palo Alto Firewall Traffic Logs Key Concepts
Troubleshooting Traffic-Related Issues
The more accurate your understanding is of the following topics, the more effectively you will be able to resolve the broad range of traffic-related issues that you may confront. The topics include what data the firewall’s Traffic logging function captures and does not capture, and how logs and log data are generated.
Session Logs
Traffic logs on a Palo Alto Networks firewall are perhaps best described as “session logs.” The screenshots below are the CLI “show session id” results and the Traffic log details view.
Traffic Log Data
The log data within each Traffic log entry is foundationally based on information required for the session tables that the firewall uses to define and manage two-way communication between a client (initiator) and a server (responder).
CLI View of Active Sessions
Session Browser View of Active-Session Details
Session Setup Process
Think of a Traffic log as a “data dump” from one of two sources: initial session data that is generated by the session-setup process and updated session-table data generated by application shifts and policy rematches.
The session-setup process calculates an action (deny or allow) based on the applicable Security policy rule.
Click the tabs for more information about each action
💡 If the session-setup process calculates a “deny” action based on the applicable Security policy rule, a session-table entry is NOT created. However, the firewall will generate a Traffic log entry of the type “drop” for the denied session, but only if the matching Security policy rule is configured to generate logs. “Drop” type Traffic logs will always show a Session ID of 0.
💡 The top image shows that Traffic logs are filtered for “drop” type logs. The bottom image shows the Detailed Log View with session ID.
💡 If the session-setup process initially calculates an “allow” action, the firewall populates a session-table entry with the session-initiation data that the firewall extracted from the first packet of a connection attempt as well as other information, such as the ingress and egress zones and matched NAT and Security policy rules.
💡 The top image shows the Session Browser view of session-table entries. The bottom image shows the Traffic logs view of similar traffic showing “end” type logs with “allow” as the action for the matching Security policy rule.
💡 The initial session-table data predicts and helps to track return traffic and to match session-profile information to policy rules. The firewall will update certain session data as the session progresses.
Traffic Log Considerations
This section discusses several topics that you should keep in mind when evaluating and troubleshooting with Traffic log data.
Traffic Logs are Data-Plane Logs
Management-plane traffic that you have mapped internally via one or more service routes within the firewall will appear in the Traffic logs if other configuration dependencies are met.
However, traffic to and from the physical management (MGT) port will never appear in the Traffic logs unless the MGT port is physically connected back to a data plane port on the firewall either (a) directly via a patch cable or (b) indirectly via one or more switches and routers (real or virtual).
The image shows a custom service-route configuration from Device > Setup > Services tab.
CYBER | TECH | LIFE — INFORMATION TECHNOLOGY VIDEOS Free Infosec and cybersecurity training. Blog: https://www.cyberbruharmy.in/
📱Social Media📱 & ❓Info❓ Follow me on the following platforms:
YouTube Subscription Link: https://www.youtube.com/CyberBruhArmy?sub_confirmation=1
Twitter: https://twitter.com/cyberbruharmy
Instagram: https://www.instagram.com/cyberbruharmy/
Discord: https://discord.com/invite/8Uz7ArN Email: contact@cyberbruharmy.in
YouTube: youtube.com/CyberBruhArmy?sub_confirmation=1
Twitter: twitter.com/cyberbruharmy
Instagram: instagram.com/cyberbruharmy
Discord: discord.gg/8Uz7ArN
Medium: https://cyberbruharmy.medium.com/
Gumroad: https://cyberbruharmy.gumroad.com/
