https://live.paloaltonetworks.com/t5/general-topics/imac-updates-and-traffic-monitoring/m-p/31679#M23170 <HTML><HEAD></HEAD><BODY><P>I have permitted apple-updates and users have confirmed that they are able to perform their updates. However, a user in is unable to perform updates as it appears that he is being blocked.</P><P></P><P>All our firewall and filtering is carried out by PAN and I am usually view traffic from a user's PC computer and figure out what is being blocked by the one of the Palo Altos.&nbsp; However, in this case I am unable to see traffic sourced or destined from his iMac. Yes he is connected to our network (connected concurrently to our wireless and wired networks) and to no other. When I go into Panorama and look at the traffic logs I do not see any traffic at all to or from his iMac. Yes, he is able to browse but I am not able to see his traffic. I am only filtering for his IP address.</P><P></P><P>Any ideas as to how or why the I am unable to see his traffic?</P></BODY></HTML> Mon, 19 Aug 2013 17:28:46 GMT PeterG 2013-08-19T17:28:46Z https://live.paloaltonetworks.com/t5/general-topics/imac-updates-and-traffic-monitoring/m-p/31679#M23170 <HTML><HEAD></HEAD><BODY><P>I have permitted apple-updates and users have confirmed that they are able to perform their updates. However, a user in is unable to perform updates as it appears that he is being blocked.</P><P></P><P>All our firewall and filtering is carried out by PAN and I am usually view traffic from a user's PC computer and figure out what is being blocked by the one of the Palo Altos.&nbsp; However, in this case I am unable to see traffic sourced or destined from his iMac. Yes he is connected to our network (connected concurrently to our wireless and wired networks) and to no other. When I go into Panorama and look at the traffic logs I do not see any traffic at all to or from his iMac. Yes, he is able to browse but I am not able to see his traffic. I am only filtering for his IP address.</P><P></P><P>Any ideas as to how or why the I am unable to see his traffic?</P></BODY></HTML> Mon, 19 Aug 2013 17:28:46 GMT https://live.paloaltonetworks.com/t5/general-topics/imac-updates-and-traffic-monitoring/m-p/31679#M23170 PeterG 2013-08-19T17:28:46Z https://live.paloaltonetworks.com/t5/general-topics/imac-updates-and-traffic-monitoring/m-p/31680#M23171 <HTML><HEAD></HEAD><BODY><P>To be sure check for policies if logging is enabled for related rule(s) or not</P><P>also for deep investigation you may take packet capture to see if that ip traffic comes to firewall or not.</P><P>also look directly to device(or context) not panorama.</P></BODY></HTML> Mon, 19 Aug 2013 17:45:25 GMT https://live.paloaltonetworks.com/t5/general-topics/imac-updates-and-traffic-monitoring/m-p/31680#M23171 Retired Member 2013-08-19T17:45:25Z https://live.paloaltonetworks.com/t5/general-topics/imac-updates-and-traffic-monitoring/m-p/31681#M23172 <HTML><HEAD></HEAD><BODY><P>You can do the following inorder to verify if the traffic is coming to the firewall and is getting blocked</P><P></P><P style="font-family: Calibri; font-size: 11pt;">1. Need to setup the filters for the traffic you are interested in. To do this, execute the following steps:</P><P style="font-family: Calibri; font-size: 11pt;">Navigate to Monitor--Packet Capture</P><P style="font-family: Calibri; font-size: 11pt;">Click 'Manage Filters'</P><P style="font-family: Calibri; font-size: 11pt;">Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )</P><P style="font-family: Calibri; font-size: 11pt;">Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)</P><P></P><P style="font-family: Calibri; font-size: 11pt;">2. Setup up the captures</P><P style="font-family: Calibri; font-size: 11pt;">Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)</P><P></P><P style="font-family: Calibri; font-size: 11pt;">3. Enable filters and captures </P><P style="font-family: Calibri; font-size: 11pt;">debug dataplane packet-diag set filter on</P><P style="font-family: Calibri; font-size: 11pt;">debug dataplane packet-diag set capture on</P><P></P><P style="font-family: Calibri; font-size: 11pt;">4. open 2 CLI windows</P><P style="font-family: Calibri; font-size: 11pt;">on 1 run the following command to look at the counter ( make sure to run this command once before running the traffic)</P><P style="font-family: Calibri; font-size: 11pt;">show counter global filter packet-filter yes delta yes</P><P></P><P style="font-family: Calibri; font-size: 11pt;">on the 2nd window run the following command to look at he sessions</P><P style="font-family: Calibri; font-size: 11pt;">show session all filter source &lt;ip address&gt; destination &lt;ip address&gt;</P><P style="font-family: Calibri; font-size: 11pt;">if you dont have the destination that is fine just leave the above command till source</P><P></P><P style="font-family: Calibri; font-size: 11pt;">After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage.</P><P style="font-family: Calibri; font-size: 11pt;">This will help you narrow down the issue.</P><P></P><P style="font-family: Calibri; font-size: 11pt;">Let us know if this helps you resolve the issue.</P><P style="font-family: Calibri; font-size: 11pt;">Thanks</P><P style="font-family: Calibri; font-size: 11pt;">Numan</P></BODY></HTML> Mon, 19 Aug 2013 18:01:07 GMT https://live.paloaltonetworks.com/t5/general-topics/imac-updates-and-traffic-monitoring/m-p/31681#M23172 mbutt 2013-08-19T18:01:07Z