Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
2
Replies

Sourcefire Logs

sambillings459
Level 1
Level 1

‎01-08-2018 06:44 AM - edited ‎02-21-2020 07:05 AM

Hello Experts,

 

can any one please explain me, what does deleting session and new session means in below logs from source fire appliance. Though the rules are allowed on firewall , only one way traffic is seen, I cannot see bi-directional traffic.  does it something to do with that deleting session line in bottom of my logs.
Appreciate any quick response

 

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 New session
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 Starting with minimum 0, id 0 and SrcZone first with zones 10 -> 5, geo 0 -> 0, vlan 0, sgt tag: untagged, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 1, 'Log All Connections', action Audit
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 allow action
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 New session
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 Starting with minimum 0, id 0 and SrcZone first with zones 10 -> 5, geo 0 -> 0, vlan 0, sgt tag: untagged, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 1, 'Log All Connections', action Audit
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 allow action
10.10.10.10-58072 > 20.20.20.20-4353 6 AS 1 I 16 Deleting session
10.10.10.10-58085 > 20.20.20.20-4353 6 AS 1 I 16 Deleting session
10.10.10.10-50040 > 30.30.30.30-4353 6 AS 1 I 7 New session

 

Thanks

Sam

Labels:
0 Helpful
2 Replies 2

sambillings459
Level 1
Level 1

‎01-09-2018 05:49 AM

Hello experts,

 

can anyone one please help me with above posts.. appreciate any quick response

0 Helpful

denilson.mota
Level 1
Level 1

‎01-09-2018 06:22 AM

Hi sam,

 

As per my understand the new session is the traffic allowed on this session:

10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-50019 > 30.30.30.30-4353 6 AS 1 I 7 allow action

 

Same scenario for the traffic allowed on this new session:

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 match rule order 34, 'companyA-companyB', action Allow
10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 allow action

10.10.10.10-60494 > 20.20.20.20-4353 6 AS 1 I 16 New session

 

The delete session mean the traffic expires from the earlier session allowed for the same traffic.

 

Can you please from the logs verify if the old allowed session also have deleted after some time?

 

Thank you,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card