The network.direction attribute always states unknown All other attributes seem to be properly populated. Any help.

PAN 9.0, syslog in BSD format

Can you share the (anonymized) message in event.original for those documents with unknown direction?

Hello, here are two examples ip addresses changed but internal are the 192.168.0.0 network and external is anything else.. I have 100% unknown for event direction after two weeks of logs. All rulesets are logged at session end.

This is an allowed outbound session
1,2020/05/19 06:05:50,007051000100090,TRAFFIC,end,2305,2020/05/19 06:05:50,192.168.1.198,163.254.114.38,34.180.18.198,66.254.114.38,General-Web,,,ssl,vsys1,lan,external,ethernet1/2,ethernet1/1,elk,2020/05/19 06:05:50,166967,1,56202,443,10121,443,0x400034,tcp,allow,763,697,66,4,2020/05/19 06:04:20,0,web-advertisements,0,79979,0x0,192.168.0.0-192.168.255.255,United States,0,3,1,threat,0,0,0,0,,firewall,from-policy,,,0,,0,,N/A,0,0,0,0,b1eaeec4-08c9-4296-ae37-9d601a77d3e9,0,0,,,,,,,

This is a inbound deny session

1,2020/05/19 06:19:15,007051000100090,TRAFFIC,drop,2305,2020/05/19 06:19:15,195.54.160.155,53.180.18.198,0.0.0.0,0.0.0.0,firehol-block,,,not-applicable,vsys1,external,lan,ethernet1/1,,elk,2020/05/19 06:19:15,0,1,53192,80,0,0,0x0,tcp,deny,60,60,0,1,2020/05/19 06:19:15,0,any,0,80543,0x0,Russian Federation,United States,0,1,0,policy-deny,0,0,0,0,,firewall,from-policy,,,0,,0,,N/A,0,0,0,0,727bbf4f-4a9d-4c34-b99e-cc96cce114e7,0,0,,,,,,,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.