PA equivalent of ASA packet tracer?

Reply
Highlighted
L0 Member

PA equivalent of ASA packet tracer?

One of the more useful features in troubleshooting on the PIX/ASA (which we used until recently) is the packet tracer, which allows us to enter source/destination IP/port, etc and check to see if a given connection is allowed or blocked, and by which rule. Is there an equivalent feature in the PA units?

Tags (1)
L2 Linker

Re: PA equivalent of ASA packet tracer?

Hi Phil,

We have a very useful packet capture tool embedded in Panos (Monitor tab -->packet capture in GUI).

You can configured several filters and capture traffic in different process stage. (receive, transmit, drop and firewall)

To get security rule matching for a given traffic, you can also use the  #test security-policy-match command from CLI.

Best Regards

-Nicolas

L6 Presenter

Re: PA equivalent of ASA packet tracer?

Speaking of which, what about decrypted traffic?

Can that be captured aswell, and if not - if filing this as a feature request, does the hardware support this in some way (or would it just be a waste of time to describe this feature request)?

I guess it could be done because Wildfire can get a copy of files transmitted by ssl/https and send for analyze.

L2 Linker

Re: PA equivalent of ASA packet tracer?

I'll revive this question - as the answers didn't actually relate.

 

The Cisco ASA packet tracer allows you to propose a hypothetical flow and runs it through the engine as if it were real. Evaluating the NAT and route dicisions which would likely apply in addition to the policy/ACL allow/deny logic.

 

It was very helpful to see if your configured configuration should pass traffic you are planning for prior to the actual traffic arriving.

L7 Applicator

Re: PA equivalent of ASA packet tracer?

Well it is not that easy with Layer 7 firewall.

If you want to test application sharepoint-admin then session ca go through many steps like incomplete, web-browsing, sharepoint-base, and then get's to sharepoint-admin.

 

So test would also need to check if every application your requested application depends on is permitted.

 

But test capability is there.

https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Test-Security-NAT-and-PBF-Rules-via-...

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L6 Presenter

Re: PA equivalent of ASA packet tracer?

Another good point mate! Not easy to simulate Layer 7 traffic

L2 Linker

Re: PA equivalent of ASA packet tracer?

I know what you are thinking of in the ASA and I don't think there is a Palo equivalent.

 

You can source your ping/traceroute and the system will tell you the logical response.  

 

> ping source <ip-address-on-dataplane> host <destination-ip-address>

 

> traceroute source <ip-address-on-dataplane> host 8.8.8.8

 

But as everyone else stated this will only tell you basic networking/services and not check any of the layer 7 policies in place. 

****************************************************
ACE 7.0, PCNSE7
Tags (2)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!