Basics of Traffic Monitor Filtering

by Community Manager ‎09-30-2015 01:23 PM - edited ‎10-10-2016 12:30 AM (138,952 Views)

Need help searching log files? Use filter expressions to sort out unnecessary logs and display only the log entries you need. Filters can also be combined using and or or and parentheses ( ) to fine tune your search. User gmchenry provides some helpful tips about using filters to make searching a little easier.

 


Filtering Methods and Examples

This document demonstrates several methods of filtering and looking for specific types of traffic on Palo Alto Networks firewalls. Categories of filters include host, zone, port, or date/time. At the end of the list, we include a few examples that combine various filters for more comprehensive searching.

 

Following are a few basic filter ideas to get you started.

 

Host Traffic Filter Examples

 

     FROM HOST a.a.a.a

          (addr.src in a.a.a.a)

          example: (addr.src in 1.1.1.1) 

          Explanation: shows all traffic from host ip address that matches 1.1.1.1 (addr.src in a.a.a.a)

 

     TO HOST b.b.b.b

          (addr.dst in b.b.b.b)

          example: (addr.dst in 2.2.2.2) 

          Explanation: shows all traffic with a destination address of a host that matches 2.2.2.2

 

    FROM HOST a.a.a.a TO HOST b.b.b.b

          (addr.src in a.a.a.a) and (addr.dst in b.b.b.b)

          example: (addr.src in 1.1.1.1) and (addr.dst in 2.2.2.2)

          Explanation: shows all traffic coming from a host with an IP address of 1.1.1.1 and going to a host

               destination address of 2.2.2.2

 

    TO HOST RANGE

          NOTE: You cannot specify an actual but can use CIDR notation to specify a network range of addresses

          (addr.src in a.a.a.a/CIDR)

          example:  (addr.src in 10.10.10.2/30)

          Expanation:  shows all traffic coming from addresses ranging from 10.10.10.1 - 10.10.10.3.

 

     TO or FROM HOST a.a.a.a

          (addr in a.a.a.a)

          example: (addr in 1.1.1.1) 

          Explanation: shows all traffic with a source OR destination address of a host that matches 1.1.1.1

 

 

Zone Traffic Filter Examples

 

     FROM ZONE zone_a

          (zone.src eq zone_a)

          example: (zone.src eq PROTECT)

          Explanation: shows all traffic coming from the PROTECT zone

 

     TO ZONE zone_b

          (zone.dst eq zone_b)

          example: (zone.dst eq OUTSIDE)

          Explanation: shows all traffic going out the OUTSIDE zone

 

     FROM ZONE zone_a TO ZONE zone_b

          (zone.src eq zone_a) and (zone.dst eq zone_b)

          example: (zone.src eq PROTECT) and (zone.dst eq OUTSIDE)

          Explanation: shows all traffic traveling from the PROTECT zone and going out the OUTSIDE zone

 

 

Port Traffic Filter Examples

 

     FROM PORT aa

          (port.src eq aa)

          example: (port.src eq 22)

          Explanation: shows all traffic traveling from source port 22

 

     TO PORT aa

          (port.dst eq bb)

          example: (port.dst eq 25)

          Explanation: shows all traffic traveling to destination port 25

 

     FROM PORT aa TO PORT bb

          (port.src eq aa) and (port.dst eq bb)

          example: (port.src eq 23459) and (port.dst eq 22)

          Explanation: shows all traffic traveling from source port 23459 and traveling to destination port 22

 

     FROM ALL PORTS LESS THAN OR EQUAL TO PORT aa

          (port.src leq aa)

          example: (port.src leq 22)

          Explanation: shows all traffic traveling from source ports 1-22

 

     FROM ALL PORTS GREATER THAN OR EQUAL TO PORT aa

          (port.src geq aa)

          example: (port.src geq 1024)

          Explanation: shows all traffic traveling from source ports 1024 - 65535

 

     TO ALL PORTS LESS THAN OR EQUAL TO PORT aa

          (port.dst leq aa)

          example: (port.dst leq 1024)

          Explanation: shows all traffic traveling to destination ports 1-1024

 

     TO ALL PORTS GREATER THAN OR EQUAL TO PORT aa

          (port.dst geq aa)

          example: (port.dst geq 1024)

          Explanation: shows all traffic traveling to destination ports 1024-65535

 

     FROM PORT RANGE aa THROUGH bb

          (port.src geq aa) and (port.src leq bb)

          example: (port.src geq 20) and (port.src leq 53)

          Explanation: shows all traffic traveling from source port range 20-53

 

     TO PORT RANGE aa THROUGH bb

          (port.dst geq aa) and (port.dst leq bb)

          example: (port.dst geq 1024) and (port.dst leq 13002)

          Explanation: shows all traffic traveling to destination ports 1024 - 13002

 

 

Date/Time Traffic Filter Examples

 

     ALL TRAFFIC FOR A SPECIFIC DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time eq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time eq '2015/08/31 08:30:00')

          Explanation: shows all traffic that was received on August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED ON OR BEFORE THE DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time leq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time leq '2015/08/31 08:30:00')

          Explanation: shows all traffic that was received on or before August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED ON OR AFTER THE DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time geq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time geq '2015/08/31 08:30:00')

          Explanation: shows all traffic that was received on or after August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED BETWEEN THE DATE-TIME RANGE OF yyyy/mm/dd hh:mm:ss and YYYY/MM/DD

     HH:MM:SS

          (receive_time geq 'yyyy/mm/dd hh:mm:ss') and (receive_time leq 'YYYY/MM/DD HH:MM:SS')

          example: (receive_time geq '2015/08/30 08:30:00') and (receive_time leq '2015/08/31 01:25:00')

          Explanation: shows all traffic that was received between August 30, 2015 8:30am and August 31, 2015

               01:25am

 

 

Interface Traffic Filter Examples

 

     ALL TRAFFIC INBOUND ON INTERFACE interface1/x

          (interface.src eq 'ethernet1/x')

          example: (interface.src eq 'ethernet1/2')

          Explanation: shows all traffic that was received on the PA Firewall interface Ethernet 1/2

 

     ALL TRAFFIC OUTBOUND ON INTERFACE interface1/x

          (interface.dst eq 'ethernet1/x')

          example: (interface.dst eq 'ethernet1/5')

          Explanation: shows all traffic that was sent out on the PA Firewall interface Ethernet 1/5

 

 

Allowed/Denied Traffic Filter Examples

 

     ALL TRAFFIC THAT HAS BEEN ALLOWED BY THE FIREWALL RULES

          (action eq allow)

          OR

         (action neq deny)

          example: (action eq allow)

          Explanation: shows all traffic allowed by the firewall rules.  Placing the letter 'n' in front of

               'eq' means 'not equal to,' so anything not equal to 'deny' is displayed, which is any allowed traffic.

 

     ALL TRAFFIC DENIED BY THE FIREWALL RULES

          (action eq deny)

          OR

         (action neq allow)

          example: (action eq deny)

          Explanation: shows all traffic denied by the firewall rules. Placing the letter 'n' in front of

               'eq' means 'not equal to,' so anything not equal to 'allow' is displayed, which is any denied traffic.

 

 

Combining Traffic Filter Examples

 

     ALL TRAFFIC FROM ZONE OUTSIDE AND NETWORK 10.10.10.0/24 TO HOST ADDRESS 20.20.20.21 IN THE PROTECT ZONE:

          (zone.src eq OUTSIDE) and (addr.src in 10.10.10.0/24) and (addr.dst in 20.20.20.21) and (zone.dst eq PROTECT)

 

     ALL TRAFFIC FROM HOST 1.2.3.4 TO HOST 5.6.7.8 FOR THE TIME RANGE 8/30-31/2015

          (addr.src in 1.2.3.4) and (addr.dst in 5.6.7.8) and (receive_time geq '2015/08/30 00:00:00') and

          (receive_time leq '2015/08/31 23:59:59')

 


 

 

Thank you, Glenn, for sharing this with us!

 

A good practice when drilling down into the traffic log when the search starts off with little to no information, is to start from least specific and add filters to more specific.

 

When troubleshooting, instead of directly filtering for a specific app, try filtering for all apps except the ones you know you don't need, for example '(app neq dns) and (app neq ssh)'

 

You can also throw in protocols you don't need (proto neq udp) or IP ranges ( addr.src notin 192.168.0.0/24 )

 

This practice helps you drill down to the traffic of interest without losing an overview by searching too narrowly from the start.

 

I hope you enjoyed learning about filters. Feel free to comment in the section below if you have filters you'd like to share.

 

 

Bonus filter: 

To find logs that have a packet capture: (flags has pcap)

 

 

Till next time--

Tom Piens

Comments
by chmotley
on ‎05-25-2016 06:40 AM

Small edit needed on the outbound interface filter..

 

ALL TRAFFIC OUTBOUND ON INTERFACE interface1/x

          (interface.src interface.dst eq 'ethernet1/x')

          example: (interface.dst eq 'ethernet1/5')

by joey.officer
on ‎12-05-2016 11:39 AM

Great article, but hat about if you want to exclude an IP range.  For action you can change 'eq' to 'neq' for not-equal, but what is the correct syntax for excluding an IP.  I know the request might not make sense, but in this case I'm looking for blocked traffic other than a known net block.

 

For a specific example:

 

The following filter finds blocked traffic from 192.168.1.2 and 192.168.1.3 destined for 17.0.0.0/8 (apple's netblock)

(( addr.src in 192.168.1.2 ) or ( addr.src in 192.168.1.3 )) and ( action eq deny ) and ( addr.dst in 17.0.0.0/8)

 

but, I want to find blocked traffic excluding the Apple netblock traffic, something similar to the 'neq' for IP CIDRs.

by jwolach
on ‎12-05-2016 11:52 AM

joey.officer,

 

That's easy. Just use the same query but, instead of (addr.dst in 17.0.0.0/8) use (addr.dst notin 17.0.0.0/8) and it will give you all the blocked traffic from the two source addresses (192.168.1.2 & 192.168.1.3) destined for any address except for the 17.0.0.0/8 network.

 

(( addr.src in 192.168.1.2 ) or ( addr.src in 192.168.1.3 )) and ( action eq deny ) and ( addr.dst notin 17.0.0.0/8)


Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors