The 6-tuple — not 5
Every networking textbook teaches you the "5-tuple": source IP, source port, destination IP, destination port, protocol. Palo Alto adds a sixth — ingress zone. This is why the same source / destination IPs entering via two different zones get two separate sessions, and why flow_fwd_zonechange (from Blog 15) fires on asymmetric routing — an existing session sees a packet arriving via a different zone and panics.
Sneha at Infosys learns this the hard way during an A/A HA cutover: the firewall sees zone trust for the SYN, zone trust-b (peer interface) for the SYN-ACK. Two sessions get created; one of them ages out lonely; the user sees an intermittent app. The 6-tuple is the firewall trying to protect you from stateful-inspection confusion.
When a packet's 6-tuple doesn't match any existing session, the firewall slowpaths it: zone lookup, FIB lookup, NAT match, policy match, App-ID start. Then it allocates a session-ID (a slot in the hardware session table) and stamps the c2s + s2c sub-flows. Every later packet for the same 6-tuple takes the fastpath — straight into hardware, no policy lookup.
① The session state machine — animated
PAN-OS sessions cycle through up to 7 states. Pick a scenario, press Play, watch how each state transitions.
▶ Session state machine — TCP happy path
Rahul at TCS opens an SSH session. Watch the firewall create, sustain, and clean up the state.
state: INIT — Session slot allocated by the dataplane. No packets exchanged yet. Stable for milliseconds while the firewall waits for the first real payload.
state: OPENING — TCP SYN seen. Aggressive half-open timer (typically 5 s) protects against SYN-floods. If SYN-ACK doesn't arrive in time, slot is freed.
state: ACTIVE — TCP 3-way handshake complete. Bidirectional traffic flowing. App-ID identifies the app over the first few packets. Most sessions live here for their entire life.
state: CLOSING — FIN/RST seen, or TCP idle timer hit. The 15-second time-wait timer starts; new packets matching the 6-tuple in this window may still match the session.
state: CLOSED — Removed from the active session lookup table. Slot returned to the pool. Session-end-reason recorded in the Traffic log.
The DISCARD branch — what happens when policy denies
When a packet's first SYN matches a deny rule, the firewall still creates a session — but in state DISCARD. The dataplane drops the packet AND remembers the 6-tuple so subsequent packets get dropped at fastpath instead of slowpath (saving CPU). The DISCARD session keeps refreshing its timer as long as packets keep arriving. If a noisy app retries 50 times a minute, the DISCARD session lives forever.
A common production puzzle: SIP traffic gets denied at policy. The DISCARD session stays alive for hours because the SIP client retries continuously. Fix: clear session id <N> manually, OR set set deviceconfig setting session no-refresh-on-discard yes (PAN-OS 10.2+, requires commit + reboot). "Rematch Sessions" doesn't help — it only rematches ALLOW state.
Priya at HCL sees a long-running TCP session in state ACTIVE with c2s bytes = 0 and s2c bytes = 0 for the last 200 seconds. The session is still in ACTIVE, not CLOSING. Why?
ssh default 3600 s often raised to 28800 s).② Hardware offload — why some sessions fly
PAN-OS uses Single Pass Parallel Processing (SP3). After App-ID + Content-ID finish on the first few packets of a session, the firewall can offload the rest of the flow to dedicated hardware (the FE-card or Flow Engine on PA-series). Offloaded flows skip the Dataplane entirely on subsequent packets. That's how a PA-5450 can do 100+ Gbps.
But offload has rules. If the firewall has to keep inspecting payload (decryption ON, threat-profile actively scanning, decompress), it CAN'T offload. Karthik at Flipkart hit 95% Dataplane CPU during a backup window — root cause was SSL decryption on a 12 Gbps flow preventing offload.
▶ Will this session offload?
Pick a scenario. Press Play to walk through the decision tree.
set session offload no disables hardware offload globally. It's a debug-only command — without offload, every packet hits the Dataplane and your throughput craters. Use it only when you NEED packet-diag to capture every packet in a flow (offloaded packets don't get captured at every stage). Always re-enable: set session offload yes immediately after the capture.
Aditya at Wipro runs show session id 84219 and sees layer7 processing: completed, offloaded: yes. He's tuning a problem with this session. He enables set session offload no. What happens next?
③ Predict sessions — how ALG opens pinholes without writing rules
Some protocols negotiate a data channel separately from the control channel. Active-mode FTP is the canonical example: client tells server "I'm listening on port 5099", server connects BACK to client:5099. The firewall can't know to allow port 5099 from a policy lookup — it has to PEEK at the FTP control channel, learn the dynamic port, and pre-install a predict session.
▶ FTP active-mode — predict session walkthrough
Sneha downloads via FTP. Watch the firewall watch the control channel, then pre-install a session for the data channel.
type: PREDICT, 5-tuple = 203.0.113.50:20 → 10.10.10.5:5099. Visible in show session all filter type predict.
Server → client data channel. Predict opens server:20 → client:high-port. Most common case where ALG is needed because no policy could anticipate the port.
Client → server:high-port. ALG learns from PASV response, predicts client → server-port pair. Modern firewalls handle this transparently.
SIP signalling on 5060. RTP/RTCP media negotiated via SDP. ALG opens UDP pinholes for the RTP port pair. Predict ages out fast if call doesn't connect.
Streaming media + H.323 video. ALG parses the setup, opens UDP media pinholes. CCTV systems commonly hit this — needs ALG enabled or video breaks.
Rahul allows FTP through a strict policy and blocks all TCP >1024. Active-mode FTP works perfectly. How?
④ show session id <N> — every field decoded
The single most important troubleshooting command on the firewall. Run it on the session in question and it tells you everything. Below is annotated output for a real allowed HTTPS session.
show session id 84219
Session 84219 ← session-id (slot in hardware table)
c2s flow:
source: 10.10.10.5 [trust-lan] ← original client (pre-NAT)
dst: 142.250.182.46 ← original destination (pre-NAT)
proto: 6 ← TCP
sport: 51234 dport: 443 ← original ports
state: ACTIVE type: FLOW
src user: rahul.tcs ← User-ID mapping
dst user: unknown
s2c flow:
source: 142.250.182.46 [untrust]
dst: 203.0.113.5 ← post-NAT (firewall's public IP)
proto: 6
sport: 443 dport: 62117 ← post-NAT translated port
state: ACTIVE type: FLOW
src user: unknown
dst user: rahul.tcs
start time : Mon May 25 11:47:22 2026
timeout : 3600 sec ← idle timer
time to live : 1842 sec ← seconds until ageout
total byte count(c2s) : 14,328 ← bytes client → server
total byte count(s2c) : 188,420 ← bytes server → client (healthy 2-way flow)
layer7 packet count(c2s): 18
layer7 packet count(s2c): 142
vsys : vsys1
application : ssl ← App-ID identified
rule : Allow-Web-Out ← matched security rule
session to be logged at end: True
layer7 processing : completed ← App-ID done; eligible for offload
URL category : computer-and-internet-info
session in session ager : True
offloaded : yes ← hardware offload active
address/port translation: source ← Source NAT applied
nat-rule : SNAT-Outbound (vsys1)
layer7 processing : completed
URL filtering : disabled
session synced from HA peer: False
end-reason : (live, no end yet)
tracker stage l7proc : appid-completed
Reading the output: healthy two-way byte counts, App-ID identified, offloaded, NAT applied as expected, matched the right rule. Time to live is 1842s of 3600s — half the timeout remaining. If you saw total byte count(s2c) = 0 with non-zero c2s, you'd immediately suspect a return-path issue (Blog 15 territory).
| Protocol / Application | Default Timeout (PAN-OS 11.x) | Where to change |
|---|---|---|
| TCP (generic established) | 3600 s | Device → Setup → Session → Session Timeouts |
| TCP half-closed | 120 s | Same |
| TCP time-wait | 15 s | Same |
| UDP | 30 s | Same |
| ICMP | 6 s | Same |
| DISCARD-TCP | 90 s | Same |
| DISCARD-UDP | 60 s | Same |
| Per-app (ssh, ftp, citrix-ica, sap, etc.) | Overrides global | Objects → Applications → <app> → Timeouts |
tracker stage l7proc is the field most engineers ignore. It tells you the precise reason a session is what it is. Values like appid-policy-lookup-deny (policy denied during app-id), tcp-rst-from-client (client RST'd), aged-out, tcp-reuse (client reused the 4-tuple before old session closed), or l7-processing-aged-out (App-ID never completed). When in doubt, read tracker stage first.
Karthik at Flipkart runs show session id 7423 and sees layer7 processing: enabled, offloaded: no, App-ID = ssl-decrypt. He's wondering why his PA-3220 CPU is high. What's the most likely connection?
Debug flow basic — the deepest tool
When show session id isn't enough, drop into debug dataplane packet-diag set log feature flow basic. It writes detailed per-packet decisions to mp-log pan_packet_diag.log. Three stages of interest: slowpath (zone/route/policy/NAT lookup), firewall (session install + App-ID gating), forward (egress + ARP).
debug dataplane packet-diag set filter match source 10.10.10.5 debug dataplane packet-diag set filter on debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on ! ... reproduce the issue (one or two attempts) ... debug dataplane packet-diag set log off less mp-log pan_packet_diag.log
An unfiltered flow basic on a busy firewall fills mp-log within seconds and can stall the management plane. Set a tight filter (source + dest) BEFORE enabling the log. Also: turn it off promptly. Schedule a reminder.
🤖 Ask the AI Tutor
Tap any question — instant answer.
Answers drawn from PAN-OS docs + Live Community real threads.
📝 Wrap-up — six more
4 inline done. 6 left. 70% (7/10) marks the lesson complete.
📚 Sources
- Palo Alto KB — Session Overview. knowledgebase.paloaltonetworks.com
- Palo Alto KB — How to View Active Session Information Using the CLI. knowledgebase.paloaltonetworks.com
- Palo Alto KB — Session Tracker Feature. knowledgebase.paloaltonetworks.com
- PAN-OS 11.1 Admin Guide — Disable Hardware Offload. docs.paloaltonetworks.com
- PAN-OS Networking — Configure Session Timeouts. docs.paloaltonetworks.com
- PAN-OS Admin — Application Level Gateways (ALG). docs.paloaltonetworks.com
- LIVECommunity — Packet flow for Hardware Offload (thread 132273). live.paloaltonetworks.com
- LIVECommunity — Tips & Tricks: Flow Basic Debugging. live.paloaltonetworks.com
What's next?
You can now read sessions like a native speaker. Next blog teaches the deepest debug surface: PCAP across packet-diag stages (RX / DROP / FW / TX) — the visual proof of which exact dataplane layer killed a packet.