https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7212#M5339 <HTML><HEAD></HEAD><BODY><P>It is true that you are not able to simply initiate a packet capture with a security rule as the filter criteria.&nbsp; However, you can do the following:</P><P></P><P>admin@PA-200&gt; show session all filter rule dns-test</P><P></P><P></P><P>--------------------------------------------------------------------------------</P><P>ID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Application&nbsp;&nbsp;&nbsp; State&nbsp;&nbsp; Type Flag&nbsp; Src[Sport]/Zone/Proto (translated IP[Port])</P><P>Vsys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst[Dport]/Zone (translated IP[Port])</P><P>--------------------------------------------------------------------------------</P><P>13580&nbsp;&nbsp; dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACTIVE&nbsp; FLOW&nbsp; NS&nbsp;&nbsp; 192.168.100.50[52160]/trust/17&nbsp; (10.19.0.107[39841])</P><P>vsys1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246[53]/untrust&nbsp; (10.0.0.246[53])</P><P>12502&nbsp;&nbsp; dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACTIVE&nbsp; FLOW&nbsp; NS&nbsp;&nbsp; 192.168.100.50[49422]/trust/17&nbsp; (10.19.0.107[62992])</P><P>vsys1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246[53]/untrust&nbsp; (10.0.0.246[53])</P><P>13571&nbsp;&nbsp; dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACTIVE&nbsp; FLOW&nbsp; NS&nbsp;&nbsp; 192.168.100.50[52502]/trust/17&nbsp; (10.19.0.107[15692])</P><P>vsys1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246[53]/untrust&nbsp; (10.0.0.246[53])</P><P>13590&nbsp;&nbsp; dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACTIVE&nbsp; FLOW&nbsp; NS&nbsp;&nbsp; 192.168.100.50[62261]/trust/17&nbsp; (10.19.0.107[32684])</P><P>vsys1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246[53]/untrust&nbsp; (10.0.0.246[53])</P><P>admin@PA-200&gt; show session id 13580</P><P></P><P></P><P>Session&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 13580</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c2s flow:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.100.50 [trust]</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proto:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 17</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sport:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 52160&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dport:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 53</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INIT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FLOW</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src user:&nbsp;&nbsp;&nbsp; unknown</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst user:&nbsp;&nbsp;&nbsp; unknown</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; s2c flow:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246 [untrust]</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.19.0.107</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proto:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 17</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sport:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dport:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 39841</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INIT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FLOW</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src user:&nbsp;&nbsp;&nbsp; unknown</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst user:&nbsp;&nbsp;&nbsp; unknown</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; start time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Thu Jun 20 03:48:34 2013</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 30 sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; total byte count(c2s)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 95</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; total byte count(s2c)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 152</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; layer7 packet count(c2s)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; layer7 packet count(s2c)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; vsys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : vsys1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; application&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : dns&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rule&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : dns-test</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session to be logged at end&nbsp;&nbsp; : True</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session in session ager&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session synced from HA peer&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; address/port translation&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : source + destination</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nat-rule&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : NATOUT(vsys1)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; layer7 processing&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : enabled</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; URL filtering enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : True</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; URL category&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : any</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session via syn-cookies&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session terminated on host&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session traverses tunnel&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; captive portal session&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ingress interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ethernet1/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; egress interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ethernet1/1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session QoS rule&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : N/A (class 4)</P><P>admin@PA-200&gt; </P><P></P><P>"show session all filter rule" will give you the sessions that are currently matching your rule.&nbsp; You can get the session data by doing "show session id &lt;ID&gt;".</P><P></P><P>Capturing the actual data will require a packet capture, either on the firewall or another machine.</P><P></P><P>-chadd.</P></BODY></HTML> Thu, 20 Jun 2013 03:00:19 GMT cchristiansen 2013-06-20T03:00:19Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7210#M5337 <HTML><HEAD></HEAD><BODY><P>I need to confirm what traffic data (specific DNS Request strings inside the packet) is hitting two specific Security rules, so would like to capture just the traffic that is hitting these rules. Is there any way to do this?</P><P></P><P>I have run the Packet Capture (in,out,firewall, and drop), filtered to port 53 (DNS), but have no way of knowing WHICH rule the traffic is hitting.</P><P></P><P>I tried setting one rule to "Block", and was able to see the "Drop" capture traffic for that rule, but my clients started screaming due to legitimate DNS requests failing. Can't do that again.....</P></BODY></HTML> Wed, 19 Jun 2013 23:45:28 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7210#M5337 ktm530russ 2013-06-19T23:45:28Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7211#M5338 <HTML><HEAD></HEAD><BODY><P>I think there is no way to specify security rule for packet capturing.</P><P>Can you use 'test security-policy-match ...' command instead?</P></BODY></HTML> Thu, 20 Jun 2013 01:24:11 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7211#M5338 emr_1 2013-06-20T01:24:11Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7212#M5339 <HTML><HEAD></HEAD><BODY><P>It is true that you are not able to simply initiate a packet capture with a security rule as the filter criteria.&nbsp; However, you can do the following:</P><P></P><P>admin@PA-200&gt; show session all filter rule dns-test</P><P></P><P></P><P>--------------------------------------------------------------------------------</P><P>ID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Application&nbsp;&nbsp;&nbsp; State&nbsp;&nbsp; Type Flag&nbsp; Src[Sport]/Zone/Proto (translated IP[Port])</P><P>Vsys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Dst[Dport]/Zone (translated IP[Port])</P><P>--------------------------------------------------------------------------------</P><P>13580&nbsp;&nbsp; dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACTIVE&nbsp; FLOW&nbsp; NS&nbsp;&nbsp; 192.168.100.50[52160]/trust/17&nbsp; (10.19.0.107[39841])</P><P>vsys1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246[53]/untrust&nbsp; (10.0.0.246[53])</P><P>12502&nbsp;&nbsp; dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACTIVE&nbsp; FLOW&nbsp; NS&nbsp;&nbsp; 192.168.100.50[49422]/trust/17&nbsp; (10.19.0.107[62992])</P><P>vsys1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246[53]/untrust&nbsp; (10.0.0.246[53])</P><P>13571&nbsp;&nbsp; dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACTIVE&nbsp; FLOW&nbsp; NS&nbsp;&nbsp; 192.168.100.50[52502]/trust/17&nbsp; (10.19.0.107[15692])</P><P>vsys1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246[53]/untrust&nbsp; (10.0.0.246[53])</P><P>13590&nbsp;&nbsp; dns&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACTIVE&nbsp; FLOW&nbsp; NS&nbsp;&nbsp; 192.168.100.50[62261]/trust/17&nbsp; (10.19.0.107[32684])</P><P>vsys1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246[53]/untrust&nbsp; (10.0.0.246[53])</P><P>admin@PA-200&gt; show session id 13580</P><P></P><P></P><P>Session&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 13580</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c2s flow:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.100.50 [trust]</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proto:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 17</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sport:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 52160&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dport:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 53</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INIT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FLOW</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src user:&nbsp;&nbsp;&nbsp; unknown</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst user:&nbsp;&nbsp;&nbsp; unknown</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; s2c flow:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.0.0.246 [untrust]</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.19.0.107</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proto:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 17</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sport:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dport:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 39841</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; state:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INIT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FLOW</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src user:&nbsp;&nbsp;&nbsp; unknown</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst user:&nbsp;&nbsp;&nbsp; unknown</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; start time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Thu Jun 20 03:48:34 2013</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 30 sec</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; total byte count(c2s)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 95</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; total byte count(s2c)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 152</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; layer7 packet count(c2s)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; layer7 packet count(s2c)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; vsys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : vsys1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; application&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : dns&nbsp; </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rule&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : dns-test</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session to be logged at end&nbsp;&nbsp; : True</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session in session ager&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session synced from HA peer&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; address/port translation&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : source + destination</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nat-rule&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : NATOUT(vsys1)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; layer7 processing&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : enabled</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; URL filtering enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : True</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; URL category&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : any</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session via syn-cookies&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session terminated on host&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session traverses tunnel&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; captive portal session&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : False</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ingress interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ethernet1/2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; egress interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : ethernet1/1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; session QoS rule&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : N/A (class 4)</P><P>admin@PA-200&gt; </P><P></P><P>"show session all filter rule" will give you the sessions that are currently matching your rule.&nbsp; You can get the session data by doing "show session id &lt;ID&gt;".</P><P></P><P>Capturing the actual data will require a packet capture, either on the firewall or another machine.</P><P></P><P>-chadd.</P></BODY></HTML> Thu, 20 Jun 2013 03:00:19 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7212#M5339 cchristiansen 2013-06-20T03:00:19Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7213#M5340 <HTML><HEAD></HEAD><BODY><P>You can also compared the pcap with traffic log.</P><P>Since traffic you look for must be DNS, I would use source port number to identify which packet is corresponding to a specific traffic log.</P><P>Traffic log should include rule name as well.</P><P></P><P>FYI:</P><P>This is the way to add column in traffic log in GUI.</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2799">https://live.paloaltonetworks.com/docs/DOC-2799</A></P></BODY></HTML> Thu, 20 Jun 2013 03:56:44 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7213#M5340 sunright 2013-06-20T03:56:44Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7214#M5341 <HTML><HEAD></HEAD><BODY><P>Thanks for the responses. I DO need to see the acual data inside the packets (looking for which DNS request string is hitting each DNS rule), thus the question regarding packet capture.</P><P>I thought of doing the PCAP comparison to the traffic log, but we had over 17,000 DNS capture packets under 2 minutes...&nbsp; even parsing for time-stamps would be a HUGE undertaking...</P></BODY></HTML> Thu, 20 Jun 2013 15:21:48 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7214#M5341 ktm530russ 2013-06-20T15:21:48Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7215#M5342 <HTML><HEAD></HEAD><BODY><P>I found one command that might help you...I hope.</P><P>try 'set application dump on rule &lt;rulename&gt; protocol 17 destination-port 53'</P><P>you can see green down arrow besides each traffic log after you enter this command</P><P></P><P>I just mention that if I enter 'set application dump on rule &lt;rulename&gt;', my PAN device somehow collected pcaps for all traffics.</P><P>I think only rulename does not work properly.</P><P></P><P>***Additional Comments***</P><P>I confirmed that rulename filter does not work even I specify protocol number and destination number.</P><P>This command would not help you.</P><P>I apologize for it.</P></BODY></HTML> Thu, 20 Jun 2013 15:59:39 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7215#M5342 emr_1 2013-06-20T15:59:39Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7216#M5343 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Even though you have 17000 DNS packet, I assume source port is sequence or randomized so it should be possible to match pcap and traffic log?</P><P></P><P>Were you not able to identify which traffic log was made with which pcap?</P><P></P><P>You can use filter on GUI like following.</P><P>( port.src eq xxx ) and ( port.dst eq 53 ) and ( app eq dns )</P><P></P><P></P><P>There is filter function on CLI as well.</P><P>admin@PA-200&gt; show log traffic</P><P>+ action&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action</P><P>+ app&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; app</P><P>+ csv-output&nbsp;&nbsp;&nbsp;&nbsp; csv-output</P><P>+ direction&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; direction</P><P>+ dport&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dport</P><P>+ dst&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst</P><P>+ dstuser&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dstuser</P><P>+ end-time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; end-time</P><P>+ from&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; from</P><P>+ query&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; query</P><P>+ receive_time&nbsp;&nbsp; receive_time</P><P>+ rule&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rule</P><P>+ sport&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sport</P><P>+ src&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src</P><P>+ srcuser&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; srcuser</P><P>+ start-time&nbsp;&nbsp;&nbsp;&nbsp; start-time</P><P>+ to&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; to</P><P>&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pipe through a command</P><P>&nbsp; &lt;Enter&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Finish input</P><P></P><P></P><P>I hope this helps.</P></BODY></HTML> Mon, 24 Jun 2013 01:54:14 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7216#M5343 sunright 2013-06-24T01:54:14Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7217#M5344 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">One correction. the following filter should be sufficient.<BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">( port.src eq xxx ) and ( app eq dns )</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P></BODY></HTML> Mon, 24 Jun 2013 02:21:56 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7217#M5344 sunright 2013-06-24T02:21:56Z https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7218#M5345 <HTML><HEAD></HEAD><BODY><P>Have you had a chance to review this doc:-</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3601">https://live.paloaltonetworks.com/docs/DOC-3601</A></P></BODY></HTML> Tue, 25 Jun 2013 03:59:32 GMT https://live.paloaltonetworks.com/t5/general-topics/packet-capture-of-specific-security-rule/m-p/7218#M5345 sraghunandan 2013-06-25T03:59:32Z