PaloAlto - Examining the Session Table


If a network connection failure is not found in the traffic log, the session table can be asked for sessions in DISCARD state, filtered based on its source, or whatever. This is useful at the console because the session browser in the WEBGUI does not store the filter options.

All commands start with “show session all filter …”

For example:

#show session all filter state discard
#show session all filter application dns destination
#show session all filter from trust to untrust application ssl state active

To see whether there are some “predict” sessions in which the Palo Alto uses a ALG (appliation layer gateway) to predict dynamic ports (e.g., SIP, active FTP), use this command:

#show session all filter type predict

A specific session can then be cleared with:

#clear session id <value>