Advance debug Troubleshooting Palo Alto Firewall - Packet Filter

 

Advance debug Troubleshooting Palo Alto Firewall

1. Global Counters

2. Packet Filter & Capture

3. Flow Basic

Flow Basic

----------

>Debug dataplane packet-diag clear all

> debug dataplane packet-diag set filter index 1 match source x.x.x.x destination x.x.x.x destination-port 80 protocol 6
> debug dataplane packet-diag set filter index 2 match source x.x.x.x destination x.x.x.x source-port 80 protocol 6
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag show setting

> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture on
> debug dataplane packet-diag show setting

you can also see the capture information on GUI  Monitor PacketCapture 
Initiate the Test from source to destination traffic 

>view-pcap filter-pcap fw.pcap
 or you can download it from GUI  Monitor PacketCapture and open it with wireshark

To capture a .pcap file on a Palo Alto firewall, you can use the web interface (Monitor > Packet Capture) or the CLI. Since packet captures are highly CPU-intensive, define specific filters first, enable the capture, generate traffic, and turn it off immediately after gathering the data. [1, 2, 3, 4, 5]

Method 1: Using the Web Interface (GUI)

1. Configure Filters:
   • Go to Monitor > Packet Capture.
   • Click Manage Filters.
   • Click Add and define parameters like Source IP, Destination IP, Ingress Interface, and Protocol to narrow down the traffic. Click OK.
2. Configure Capture Options:
   • Click Configure Capturing.
   • Ensure stages (Drop, Receive, Transmit, and FW-Process) are enabled and define a file name.
3. Start and Run:
   • Toggle the Packet Capture switch to ON.
   • Generate your test traffic to ensure the packets are passing through.
   • Toggle the switch to OFF once done.
4. Download the File:
   • The .pcap file will appear in the list under the Packet Capture screen. Click the download icon next to the filename. [1, 2, 3, 4, 5]

Method 2: Using the CLI (For Management Traffic or Logs)

For capturing management plane traffic or quickly analyzing using tcpdump, use the Command Line Interface. [1, 2]

1. Run TCPDump: Connect to the firewall via SSH and use the tcpdump tool:
   tcpdump filter "host <IP_Address>"
2. View or Export:
   • View the packet headers in the console in real-time:
     view-pcap follow yes mgmt-pcap mgmt.pcap
   • Export the file to an external server:
     scp export mgmt-pcap from mgmt.pcap to <username@host:path> [1, 2, 3]

Method 3: Capturing Traffic Hitting a Specific Security Rule

1. Navigate to Monitor > Logs > Traffic.
2. Locate the specific traffic log entry that you want to analyze.
3. Click the green arrow icon next to the log entry to download the .pcap file associated with that exact connection