topic Re: commands to debug traffic between two host using Palo alto firewall in General Topics

commands to debug traffic between two host using Palo alto firewall

fatboy1607 — Wed, 14 May 2014 15:52:50 GMT

Can some one help with documentation with running debug commands on palo alto firewalls.

For example syntax to monitor traffic between two particular host.

Thanks for help in advance.

Re: commands to debug traffic between two host using Palo alto firewall

ssharma — Wed, 14 May 2014 15:55:44 GMT

Hi Mandar,

You can use following document for detailed description :

How to Run a Packet Capture

You can also run "show session all filter source <ip> destination <ip>" to view the traffic flow through the device. You can narrow it down to zones, ports and application. HTH

Re: commands to debug traffic between two host using Palo alto firewall

gswcowboy — Wed, 14 May 2014 15:56:44 GMT

something more granular but be sure to confirm filter is enabled and to clear the debugging when you're done. This can be intrusive debugging so doing it carefully is highly recommended

Packet Capture, Debug Flow-basic and Counter Commands

Re: commands to debug traffic between two host using Palo alto firewall

mbutt — Thu, 15 May 2014 20:12:32 GMT

Below are the steps that i would take to troubleshoot but be sure to turn off all the debugging after you are done. Since this is CPU intensive and make sure setup filter on traffic that you are interested in debugging.

Hope this helps.
Thanks

Numan

1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. setup the flow basic

debug dataplane packet-diag set log feature flow basic

debug dataplane packet-diag set log feature ctd basic

4. Clear old logs flow basic logs

debug dataplane packet-diag clear log log

5. Enable filters, captures and logs

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

debug dataplane packet-diag set log on

6. open 3 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

On the 3rd window run the tail for the flow basic

tail follow yes dp-log pan_task_*

7. Now run the test while it fails .

8. Turn off all the debugging that was enabled

debug dataplane packet-diag set log off

debug dataplane packet-diag set filter off

debug dataplane packet-diag set capture off

9. Aggregate the flow basic logs

CLI command (be sure to do this AFTER disabling the data plane debug logging such as flow basic):

debug dataplane packet-diag aggregate-logs

Re: commands to debug traffic between two host using Palo alto firewall

mizhou — Wed, 21 May 2014 07:14:58 GMT

Either 'show session all filer source x.x.x.x destination y.y.y.y' or set the filter in the PCAP should give you the ability of checking the traffic running between two specific hosts.

Re: commands to debug traffic between two host using Palo alto firewall

Gabriel.Nigro — Mon, 13 Jul 2020 01:44:22 GMT

Thanks a Lot.