Packet capture of specific Security Rule?

Reply
L2 Linker

Packet capture of specific Security Rule?

I need to confirm what traffic data (specific DNS Request strings inside the packet) is hitting two specific Security rules, so would like to capture just the traffic that is hitting these rules. Is there any way to do this?

I have run the Packet Capture (in,out,firewall, and drop), filtered to port 53 (DNS), but have no way of knowing WHICH rule the traffic is hitting.

I tried setting one rule to "Block", and was able to see the "Drop" capture traffic for that rule, but my clients started screaming due to legitimate DNS requests failing. Can't do that again.....

L4 Transporter

Re: Packet capture of specific Security Rule?

I think there is no way to specify security rule for packet capturing.

Can you use 'test security-policy-match ...' command instead?

L3 Networker

Re: Packet capture of specific Security Rule?

It is true that you are not able to simply initiate a packet capture with a security rule as the filter criteria.  However, you can do the following:

admin@PA-200> show session all filter rule dns-test

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

13580   dns            ACTIVE  FLOW  NS   192.168.100.50[52160]/trust/17  (10.19.0.107[39841])

vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53])

12502   dns            ACTIVE  FLOW  NS   192.168.100.50[49422]/trust/17  (10.19.0.107[62992])

vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53])

13571   dns            ACTIVE  FLOW  NS   192.168.100.50[52502]/trust/17  (10.19.0.107[15692])

vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53])

13590   dns            ACTIVE  FLOW  NS   192.168.100.50[62261]/trust/17  (10.19.0.107[32684])

vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53])

admin@PA-200> show session id 13580

Session           13580

        c2s flow:

                source:      192.168.100.50 [trust]

                dst:         10.0.0.246

                proto:       17

                sport:       52160           dport:      53

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      10.0.0.246 [untrust]

                dst:         10.19.0.107

                proto:       17

                sport:       53              dport:      39841

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Thu Jun 20 03:48:34 2013

        timeout                       : 30 sec

        total byte count(c2s)         : 95

        total byte count(s2c)         : 152

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 1

        vsys                          : vsys1

        application                   : dns 

        rule                          : dns-test

        session to be logged at end   : True

        session in session ager       : False

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : NATOUT(vsys1)

        layer7 processing             : enabled

        URL filtering enabled         : True

        URL category                  : any

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)

admin@PA-200>

"show session all filter rule" will give you the sessions that are currently matching your rule.  You can get the session data by doing "show session id <ID>".

Capturing the actual data will require a packet capture, either on the firewall or another machine.

-chadd.

L5 Sessionator

Re: Packet capture of specific Security Rule?

You can also compared the pcap with traffic log.

Since traffic you look for must be DNS, I would use source port number to identify which packet is corresponding to a specific traffic log.

Traffic log should include rule name as well.

FYI:

This is the way to add column in traffic log in GUI.

https://live.paloaltonetworks.com/docs/DOC-2799

L2 Linker

Re: Packet capture of specific Security Rule?

Thanks for the responses. I DO need to see the acual data inside the packets (looking for which DNS request string is hitting each DNS rule), thus the question regarding packet capture.

I thought of doing the PCAP comparison to the traffic log, but we had over 17,000 DNS capture packets under 2 minutes...  even parsing for time-stamps would be a HUGE undertaking...

L4 Transporter

Re: Packet capture of specific Security Rule?

I found one command that might help you...I hope.

try 'set application dump on rule <rulename> protocol 17 destination-port 53'

you can see green down arrow besides each traffic log after you enter this command

I just mention that if I enter 'set application dump on rule <rulename>', my PAN device somehow collected pcaps for all traffics.

I think only rulename does not work properly.

***Additional Comments***

I confirmed that rulename filter does not work even I specify protocol number and destination number.

This command would not help you.

I apologize for it.

Highlighted
L5 Sessionator

Re: Packet capture of specific Security Rule?

Hi,

Even though you have 17000 DNS packet, I assume source port is sequence or randomized so it should be possible to match pcap and traffic log?

Were you not able to identify which traffic log was made with which pcap?

You can use filter on GUI like following.

( port.src eq xxx ) and ( port.dst eq 53 ) and ( app eq dns )

There is filter function on CLI as well.

admin@PA-200> show log traffic

+ action         action

+ app            app

+ csv-output     csv-output

+ direction      direction

+ dport          dport

+ dst            dst

+ dstuser        dstuser

+ end-time       end-time

+ from           from

+ query          query

+ receive_time   receive_time

+ rule           rule

+ sport          sport

+ src            src

+ srcuser        srcuser

+ start-time     start-time

+ to             to

  |              Pipe through a command

  <Enter>        Finish input

I hope this helps.

L5 Sessionator

Re: Packet capture of specific Security Rule?

One correction. the following filter should be sufficient.


( port.src eq xxx ) and ( app eq dns )


L5 Sessionator

Re: Packet capture of specific Security Rule?

Have you had a chance to review this doc:-

https://live.paloaltonetworks.com/docs/DOC-3601

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!