Monday, September 8, 2025

Module 12 Palo Alto Troubleshooting

 

Module 12  Palo Alto  Troubleshooting


View all HA cluster configuration content.
show high-availability cluster all


Palo Alto Firewall Commands:
==================================
show system info
show system resource
show interface management
show arp all
show interface all
show interface ethernet1/1
show config run
show config candidate
show session all
show routing route
show routing route virtual-router default
show log system
show log traffic
ping source 10.1.1.1 host 8.8.8.8
traceroute host 8.8.8.8
show admins
clear session all
show high-availability state

Use Palo Alto Knowledge Base   



Troubleshoot Palo Alto Firewall using Global Counters, Packet Filter & Capture, Flow Basic

Global Counters:
Counters are a very useful set of indicators for the processes, packet flows and sessions on the PA firewalls. It can be used to troubelshoot various scenarios.

> show counter global 

Provides information about the process/action take on the packet passing through the device, what they are dropped, NAT-ed, decrypted and so on.

These counters are for all traffic and are useful in troubleshooting poor perfornance, packet lost, latency, and so on. 

They are severity levels associated with each counter: warn, info, error an drop
Use the counter with filters to obtain meaningful data.

> show counter global filter packet-filter yes delta yes

This command "show counter global filter packet-filter yes delta yes" gives the snapshot of the counter that incremented since the last  "show counter global filter packet-filter yes delta yes" gives 

Packets drop by the firewalls. 








Interface => Marvell Chip  => Liger/Tiger Chip => Data Plane-CPU (ingress/flow/slow/fast)  => Jaguar chip (App-id, Content ID)

Marvell Octenon Series of data processing units (DPUs) They are responsible for hardware assisted SSL/TLS decryption, compression, network traffic routing and performing security functions. Hardware acceleration. 


Life Of Packet/Packet Processing Stage

Ingress stage
Flow Lookup
Slow path (Session Setup)
Fast Path 
App-ID
Content-ID - threat URL filter, antivirus, vulnerability protection
Egress

>show counter 

validate routing is available
>test routing fib-lookup virtual router vr-01 ip "192.168.1.1"
 
virtual router: VR-01
destination: 192.168.1.1
result:
interface ethernet1/1, source 192.168.1.240 (interface iP address)

>show interface ethernet1/1
you will get the Zone information

>show routing route

>debug dataplane packet-diag set filter index 1 match source 10.1.2.100 destination 192.168.1.1 destination port 80 protocol 6

>debug dataplane packet-diag set filter on

>show counter global filter delta yes

>show counter global filter delta yes packet-filter yes


Palo Alto Firewall Commands:
==================================
show system info
show system resource
show interface management
show arp all
show interface all
show interface ethernet1/1
show config run
show config candidate
show session all
show routing route
show routing route virtual-router default
show log system
show log traffic
ping source 10.1.1.1 host 8.8.8.8
traceroute host 8.8.8.8
show admins
clear session all
show high-availability state


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Global Protect Troubleshooting

Global Protect Components Certificate Management Connections Authentication Debugging https://www.youtube.com/watch?v=0Z48WHvyW0Q authentica...