[PaloAlto] Firewall Monitor Log 분석 - Traffic Session End Reason ( 방화벽 세션 로그 의미 )

 

1. 개 요 

 

The "Session End Reason" in PaloAlto firewall logs indicates why a network session terminated. 

 

Common reasons include tcp-fin, tcp-rst-from-client, tcp-rst-from-server, aged-out, resources-unavailable, and threat. 

 

Understanding these reasons helps in troubleshooting network connectivity and identifying potential security issues. 

 

 

2. 종류 및 의미 

 

Here's a breakdown of common session end reasons:

 

• tcp-fin

  Both hosts in the connection sent a TCP FIN message to close the connection gracefully. 

   
• tcp-rst-from-client or tcp-rst-from-server

  A TCP reset was sent by the client or server to abruptly close the connection, often due to an error or the application's termination. 

   
• aged-out

  The session was terminated due to inactivity or a set time limit. 

  This is normal for UDP traffic like DNS. 

   
• resources-unavailable

  The session was dropped because of insufficient system resources, like exceeding the number of out-of-order packets allowed. 

   
• threat

  A threat was detected during the session, such as file blocking or URL filtering, triggering the session to end. 

   
• decoder

  The decoder detected a new connection within a protocol like HTTP-Proxy, ending the previous connection. 

   
• unknown

  The session termination reason couldn't be classified by the firewall. 

   
• N/A

  Indicates the log type is not "end", meaning the session was not terminated. 

  This can happen if the log subtype is not set to "End" or if a session ends without a normal TCP close. 

   

   

   

3. 트러블슈팅 

 

 

Troubleshooting Tips:

• Check Log SubType

  Ensure the "Log SubType" filter is set to "End" when looking for session end reasons. 

   
• Use show session id

  View detailed information about a specific session using the show session id <session_id> command. 

   
• Analyze PCAPs

  Capture packet traces to see the actual packets exchanged and identify the reason for session termination. 

   
• Review Threat Logs

  If the reason is "threat," investigate corresponding threat logs to understand the trigger. 

   
• Examine Network Configuration

  Check network settings and policies to ensure proper handling of TCP resets and session timeouts. 

 

---

 

[PaloAlto] Firewall CLI Command - set 명령어 (객체 생성, 객체 반영, Description, Schedule)

[PaloAlto] Firewall CLI Command - set 명령어 (객체 생성, 객체 반영, Description, Schedule)

 

[PaloAlto] Firewall CLI Command - show 명령어 (HA, NAT, IPsec) Cli sheet 참조

[PaloAlto] Firewall CLI Command - show 명령어 (HA, NAT, IPsec) Cli sheet 참조

 

[CISCO] 라우터 트러블슈팅(Router Troubleshooting) - 6가지

[CISCO] 라우터 트러블슈팅(Router Troubleshooting) - 6가지