Palo Alto's Version on ASA Packet-Tracer Command

Reply
L3 Networker

Palo Alto's Version on ASA Packet-Tracer Command

Coming from an ASA back ground I am trying to learn more about troubleshooting in the PA.  From what I learned so far there is no command in the PA that tests the full path of communication similar to packet-capture in the ASA.  When in CLI I see there is a test command that breaks out different components of the communication path.  I can test routing & policies which is great.  Does anyone have a method they use to test different components of the full communication path? Are there certain things to test in an order?  We are going to turn on all next gen features & I want to be prepared for request to troubleshoot why a host cannot access resources outside their own zone & there could be a lot of potential reasons not just layer 3 & 4.  Thanks.

L5 Sessionator

Re: Palo Alto's Version on ASA Packet-Tracer Command

The only thing you need is logs. Enter filters for the session in question and look for any blocked events. Either in each log file seperately (traffic, threat, URL..) or in unified logs. Especially with threat logs keep in mind that source/destination of an event doesn't necesarilly match the direction of session.

L3 Networker

Re: Palo Alto's Version on ASA Packet-Tracer Command

So will logs show every & any specific reason why a session between 2 hosts cannot be successfully connected?  From a firewall perspective of coarse.  For instance if someone on the internet can't get to my web server because I don' I have NAT set up at all or it is not set up correctly.

L7 Applicator

Re: Palo Alto's Version on ASA Packet-Tracer Command

@MarioMarquez,

You would see the traffic hit the Public IP address and then see it either 'age-out' or hit the interzone-default rule. Looking at the associated session ID will show you that it didn't complete a NAT process. 

There is nothing directly compariable to Packet Tracer on the Palo Alto. You'll kind of have to force that out of your mind and just focus on how to actually troubleshoot Palo Alto equipment. The logs will give you everything you need to know, and the test commands will allow you to test the policies and ensure that it'll actually hit a NAT policy, or a Security policy, or any of the like as you put something into production. 

The 'test' commands should just be worked out as part of you deployment process. I have this new website/service and I've completed the NAT and Security rules; does the 'test' statements show that the traffic will match the expected NAT rule, does it show you will match the expected Security rule? There isn't anything as 'full-featured' as packet tracer. 

L3 Networker

Re: Palo Alto's Version on ASA Packet-Tracer Command

Very hlepful thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!