topic Re: PA equivalent of ASA packet tracer? in General Topics

PA equivalent of ASA packet tracer?

philparadis — Thu, 10 Jan 2013 15:09:59 GMT

One of the more useful features in troubleshooting on the PIX/ASA (which we used until recently) is the packet tracer, which allows us to enter source/destination IP/port, etc and check to see if a given connection is allowed or blocked, and by which rule. Is there an equivalent feature in the PA units?

Re: PA equivalent of ASA packet tracer?

nbilly — Thu, 10 Jan 2013 15:27:57 GMT

Hi Phil,

We have a very useful packet capture tool embedded in Panos (Monitor tab -->packet capture in GUI).

You can configured several filters and capture traffic in different process stage. (receive, transmit, drop and firewall)

To get security rule matching for a given traffic, you can also use the #test security-policy-match command from CLI.

Best Regards

-Nicolas

Re: PA equivalent of ASA packet tracer?

mikand — Thu, 10 Jan 2013 20:23:24 GMT

Speaking of which, what about decrypted traffic?

Can that be captured aswell, and if not - if filing this as a feature request, does the hardware support this in some way (or would it just be a waste of time to describe this feature request)?

I guess it could be done because Wildfire can get a copy of files transmitted by ssl/https and send for analyze.

Re: PA equivalent of ASA packet tracer?

MatthewSabin — Fri, 19 May 2017 18:15:13 GMT

I'll revive this question - as the answers didn't actually relate.

The Cisco ASA packet tracer allows you to propose a hypothetical flow and runs it through the engine as if it were real. Evaluating the NAT and route dicisions which would likely apply in addition to the policy/ACL allow/deny logic.

It was very helpful to see if your configured configuration should pass traffic you are planning for prior to the actual traffic arriving.

Re: PA equivalent of ASA packet tracer?

Raido_Rattameister — Fri, 19 May 2017 18:38:22 GMT

Well it is not that easy with Layer 7 firewall.

If you want to test application sharepoint-admin then session ca go through many steps like incomplete, web-browsing, sharepoint-base, and then get's to sharepoint-admin.

So test would also need to check if every application your requested application depends on is permitted.

But test capability is there.

https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Test-Security-NAT-and-PBF-Rules-via-the-CLI/ta-p/55911

Re: PA equivalent of ASA packet tracer?

TranceforLife — Fri, 19 May 2017 19:57:42 GMT

Another good point mate! Not easy to simulate Layer 7 traffic

Re: PA equivalent of ASA packet tracer?

ChrisRussell — Mon, 22 May 2017 15:09:20 GMT

I know what you are thinking of in the ASA and I don't think there is a Palo equivalent.

You can source your ping/traceroute and the system will tell you the logical response.

> ping source <ip-address-on-dataplane> host <destination-ip-address>

> traceroute source <ip-address-on-dataplane> host 8.8.8.8

But as everyone else stated this will only tell you basic networking/services and not check any of the layer 7 policies in place.

Re: PA equivalent of ASA packet tracer?

Chris777 — Wed, 12 May 2021 10:01:08 GMT

I think most are missing the point of the original question.

In Cisco's ASA, Packet tracer allows you to query traffic flow using the current ACL/Rules in place.

so for argument sake, say user on 10.10.20.111 is trying to connect to say 172.16.50.9 on port 443, but claims the firewall is blocking them. You can emulate that traffic. This is a vital tool for rule querying.

The command below would check as to successful, or dropped

#packet-tracer input inside tcp 10.10.20.111 2222 172.16.50.9 443 detail

this is up to layer 4 of the OSI, which gives good details on: known route/path, NAT and whether there is a supporting rule. If the packet gets dropped, there is good information which points out where and why it was dropped. Which gives guidance on what needs to be added to resolve it.

I have found the monitor tab to be lacking when compared to packet trace

Re: PA equivalent of ASA packet tracer?

D.Tamburin — Wed, 15 Jan 2025 18:13:16 GMT

I came to ask this exact question. It also did a good job of forcing the tunnel up, so you could check on establishment also.

Anyone know of a way to test the tunnel on a Palo? I am also just coming over from cisco.

thanks

Re: PA equivalent of ASA packet tracer?

JayGolf — Thu, 16 Jan 2025 04:03:18 GMT

Hi @D.Tamburin ,

You can hit the CLI with a couple of commands to test phase 1 and 2:

test vpn ike-sa gateway <gateway-name>
test vpn ipsec-sa tunnel <tunnel-name>

If all parameters are good to go, youll see phase 1 and 2 statuses turn green. You can also verify via system logs.

Re: PA equivalent of ASA packet tracer?

BPry — Thu, 16 Jan 2025 04:11:53 GMT

@D.Tamburin

One of the biggest changes that you'll find coming from Cisco is that PAN doesn't need any interested traffic to bring a tunnel online. The tunnels will automatically be created and don't need frequent traffic to keep them established as long as the other side also functions the same way. @JayGolf seems to have already given you to test commands; you can also run the show command of the same to see if phase 1 and phase 2 are already established.