packet-diag flow basic “matched rule index 0”

LarsAtConsigas — Wed, 26 Mar 2014 07:04:31 GMT

What does the rule with the index number 0 refer to in the packet-diag flow basic for the security as well as the NAT policy? The id manager does not show a security nor nat rule with an index 0 while the show session shows that the traffic was matching security policy “General-Internet” which is index 7 and NAT policy “Student-NAT-Out” which is index 3

admin@Student-17> less mp-log pan_packet_diag.log

== 2014-03-25 10:00:50.195 +0000 ==

Packet received at ingress stage

Packet info: len 74 port 17 interface 17 vsys 1

wqe index 153702 packet 0x0x7f0005c04dc6

Packet decoded dump:

L2: 00:50:56:1d:11:17->00:1b:17:f7:7a:11, type 0x0800

IP: 192.168.17.50->8.8.8.8, protocol 1

version 4, ihl 5, tos 0x00, len 60,

id 430, frag_off 0x0000, ttl 128, checksum 10583

ICMP: type 8, code 0, checksum 6107, id 2, seq 13695

Flow lookup, key word0 0x10005357f0002 word1 0

No active flow found, enqueue to create session

== 2014-03-25 10:00:50.195 +0000 ==

Packet received at slowpath stage

Packet info: len 74 port 17 interface 17 vsys 1

wqe index 153702 packet 0x0x7f0005c04dc6

Packet decoded dump:

L2: 00:50:56:1d:11:17->00:1b:17:f7:7a:11, type 0x0800

IP: 192.168.17.50->8.8.8.8, protocol 1

version 4, ihl 5, tos 0x00, len 60,

id 430, frag_off 0x0000, ttl 128, checksum 10583

ICMP: type 8, code 0, checksum 6107, id 2, seq 13695

Session setup: vsys 1

PBF lookup (vsys 1) with application ping

Session setup: ingress interface ethernet1/2 egress interface ethernet1/1.217 (zone 4)

NAT policy lookup, matched rule index 0

Policy lookup, matched rule index 0

DP0 is selected to process this session.

Allocated new session 25091.

Packet matched vsys 1 NAT rule 'Student-NAT-Out' (index 1),

source translation 192.168.17.50/2 => 172.16.17.1/2

Created session, enqueue to install

== 2014-03-25 10:00:50.196 +0000 ==

Packet received at fastpath stage

Packet info: len 74 port 17 interface 17 vsys 1

wqe index 153702 packet 0x0x7f0005c04dc6

Packet decoded dump:

L2: 00:50:56:1d:11:17->00:1b:17:f7:7a:11, type 0x0800

IP: 192.168.17.50->8.8.8.8, protocol 1

version 4, ihl 5, tos 0x00, len 60,

id 430, frag_off 0x0000, ttl 128, checksum 10583

ICMP: type 8, code 0, checksum 6107, id 2, seq 13695

Flow fastpath, session 25091

NAT session, run address/port translation

== 2014-03-25 10:00:50.196 +0000 ==

Packet received at forwarding stage

Packet info: len 74 port 17 interface 17 vsys 1

wqe index 153702 packet 0x0x7f0005c04dc6

Packet decoded dump:

L2: 00:50:56:1d:11:17->00:1b:17:f7:7a:11, type 0x0800

IP: 172.16.17.1->8.8.8.8, protocol 1

version 4, ihl 5, tos 0x00, len 60,

id 430, frag_off 0x0000, ttl 128, checksum 62059

ICMP: type 8, code 0, checksum 6107, id 2, seq 13695

Forwarding lookup, ingress interface 17

L3 mode, virtual-router 3

Route lookup in virtual-router 3, IP 8.8.8.8

Route found, interface ethernet1/1.217, zone 4, nexthop 172.16.17.254

0%Resolve ARP for IP 172.16.17.254 on interface ethernet1/1.217

ARP entry found on interface 256

Transmit packet on port 16

admin@Student-17> debug device-server dump idmgr type security-rule all

ID Name

---------- --------------------

1 Inbound-FTP-Policy

2 General Internet

3 Block-Known-Bad

4 Log-All

5 Deny Inbound

6 VPN Traffic

7 General-Internet

8 Deny-the-rest

9 Chrome-Policy

10 Protect-All

11 permit all

12 Block Firefox

13 Custom Telnet

14 DoS Testing

15 Remote access

16 SuperBackup

17 SSL

18 DNS

19 ping

20 Facebook

21 LinkedIn

22 Pandora

23 Gmail Chat

24 Gmail

25 Deny All

26 Deezer

27 Filedropper

28 Google Maps

29 Block ping

30 Explicit Deny

31 Block Ping

32 Test

Type: 13 Last id: 33 Mismatch cnt: 0

admin@Student-17> debug device-server dump idmgr type nat-rule all

ID Name

---------- --------------------

1 Student Source NAT

2 Inbound-FTP-NAT

3 Student-NAT-Out

4 DoS Testing

5 Martin One

6 Martin Two

7 Test

8 Static-NAT

9 DOS

10 15.15.15.15

11 Default

12 RDP-Student1

Type: 14 Last id: 13 Mismatch cnt: 0

admin@Student-17> show session id 25091

Session 25091

c2s flow:

source: 192.168.17.50 [Trust-L3]

dst: 8.8.8.8

proto: 1

sport: 2 dport: 63474

state: INIT type: FLOW

src user: unknown

dst user: unknown

s2c flow:

source: 8.8.8.8 [Untrust-L3]

dst: 172.16.17.1

proto: 1

sport: 63474 dport: 2

state: INIT type: FLOW

src user: unknown

dst user: unknown

start time : Tue Mar 25 23:57:42 2014

timeout : 6 sec

total byte count(c2s) : 74

total byte count(s2c) : 78

layer7 packet count(c2s) : 1

layer7 packet count(s2c) : 1

vsys : vsys1

application : ping

rule : General-Internet

session to be logged at end : True

session in session ager : False

session synced from HA peer : False

address/port translation : source + destination

nat-rule : Student-NAT-Out(vsys1)

layer7 processing : enabled

URL filtering enabled : False

session via syn-cookies : False

session terminated on host : False

session traverses tunnel : False

captive portal session : False

ingress interface : ethernet1/2

egress interface : ethernet1/1.217

session QoS rule : N/A (class 4)

tracker stage firewall : Aged out

Re: packet-diag flow basic “matched rule index 0”

dgnewell — Thu, 05 Oct 2017 05:20:36 GMT

The reason for the discrepancy is due to the difference between A) the totality of rules that the ID manager tracks and the subset of rules that are in the current running configuration and B) the ID manager starting with "1" and the assessment of the the running configuration by flow basic starting at "0".

Thus, although the ID manager is tracking "General-Interest" as index 7, the current running configuration does not include any of the rules from indexes 1-6. "General-Interest" is the first rule in the running configuration. And because the numbering reported based on the running configuration starts at 0, instead of one, "0" is the index of the General_Interest rule in the running-configuration.

The same story applies to the NAT rule Student-NAT-Out. It's likely the only NAT rule running. The prior rules were created during deployment and replaced during testing. Student-NAT-Out is now the first rule listed in the running configuration, and the first number is 0.

To examine the current running configuration with some effeciency, see:

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decipher-Index-Numbers-in-Flow-Basic-Debugs/ta-p/58847

topic Re: packet-diag flow basic “matched rule index 0” in General Topics

packet-diag flow basic “matched rule index 0”

Re: packet-diag flow basic “matched rule index 0”