PAN-88671

Reply
L4 Transporter

PAN-88671

Hello,

 

In PANOS 8.0.8 release,  now can disable or enable the L4 checksum checking.

 

How do I check if my 5200 firewall L4 checksum is enabled or disabled?

 

How do I check if traffic is dropped due the L4 checksum?

 

Thanks,

 

E

Community Manager

Re: PAN-88671

 

enabled
admin@PA-5250> show system state | match l4
cfg.hw.fe100: { 'cfg_mode': 4, 'l4_chk_sum': 1, 'usecase': 1, 'v4_v6_choice': 2, }

disabled
admin@PA-5250> show system state | match l4
cfg.hw.fe100: { 'cfg_mode': 4, 'l4_chk_sum': 0, 'usecase': 1, 'v4_v6_choice': 2, }

 

these counters will increment when the firewall discards packets: :flow_fpga_rcv_igr_L4CHKSUMERR


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: PAN-88671

Hi Reaper,

 

I don't see this counter increased (or listed when I run show counter global filter delta yes packet-filter yes ) until I have the pre-parse match enabled.

 

 

 

Community Manager

Re: PAN-88671

Then I would think it likely no packets are being discarded by this check in the first place

 

are you seeing this counter pop up: flow_fpga_ingress_exception_err


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: PAN-88671

None of that counter as well, flow_fpga_ingress_exception_err

 

TAC and I compare the packet captures on the firewall vs on the span port from the switch below the firewall.  Packets are getting dropped by the firewall.  The counters mentioned were not showing up until you have pre-parse match enabled.  

 

 

Highlighted
L1 Bithead

Re: PAN-88671

Hi reaper,

 

Could you please tell me when the counter : flow_fpga_ingress_exception_err pop up ? 

 

Many thanks ,

Kairm

Community Manager

Re: PAN-88671

hi @Karim.Benyelloul

 

thats a bit of an open ended question as i cannot tell you wjhen exactly that counter will pop up, it will be part of a larger set of symptoms rather than a 'this counter increments when x is happening'

 

it is counted when an error occurs when the fpga tries to intake a packet, which can happen due to different reasons


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!