R33NET BLOG Rotating Header Image

SSL

PaloAlto: PAN-OS 8.0 Session End Reason

PaloAlto zeigt in PAN-OS 8 die Informationen an warum eine Verbindung beendet wurde. Mir ist es bei der aktuellen Version 8 aufgefallen. Laut Dokumentation steht dieses Feature bereits seit PAN-OS 7.1 zur Verfügung. Wenn Ihr auf der Palo die SSL/TLS decryption macht um den Traffic nach Schadcode untersuchen zu können bekommt ihr jetzt genauere Informationen warum eine Verbindung nicht entschlüsselt werden kann.

decrypt-cert-validation wenn ein Serverzertifikat ausgelaufen, nicht vertrauenswürdig ist
decrypt-unsupport-param bei nicht unterstützten Protokoll Versionen, Cipher oder SSH Algorithmen
decrypt-error bei allen anderen Fehlern

Hier die komplette Liste (Nach Priorität sortiert) der Session End Reason. Sollte eine Verbindung aus mehreren Gründen beendet werden wird immer der höchst priorisierte Grund angezeigt.

threat

The firewall detected a threat associated with a reset, drop, or block (IP address) action.

policy-deny

The session matched a security rule with a deny or drop action.

decrypt-cert-validation

The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses client authentication or when the session uses a server certificate with any of the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. This session end reason also displays when the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED (SSLv3 only).

decrypt-unsupport-param

The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses an unsupported protocol version, cipher, or SSH algorithm. This session end reason is displays when the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.

decrypt-error

The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when firewall resources or the hardware security module (HSM) were unavailable. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSH errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupport-param end reasons.

tcp-rst-from-client

The client sent a TCP reset to the server.

tcp-rst-from-server

The server sent a TCP reset to the client.

resources-unavailable

The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue.

tcp-fin

One host or both hosts in the connection sent a TCP FIN message to close the session.

tcp-reuse

A session is reused and the firewall closes the previous session.

decoder

The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection.

aged-out

The session aged out.

Unknown

This value applies in the following situations:

-Session terminations that the preceding reasons do not cover (for example, a clear session all command)

-For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall.

-In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown

n/a

This value applies when the traffic log type is not end

PaloAlto Dokumentation PAN-OS 8: syslog field descriptions