System is a PA-3050 running SW version 7.1.7
Does the CLI still show the "Offload: yes" output in 'show session id <session-id-#>' for this version of software?
I recall seeing this flag for certain sessions in prior versions. Lately I have been troubleshooting some issues and have not seen that flag for any of the sessions being viewed. Hardware offloading is enabled (per 'show session info') and many of the sessions are showing layer7 processing completed.
If I have read the Admin guide correctly at least SSL traffic should be offloaded once L7 processing has been completed. However I am not seeing this is the case, unless there are other parameters in the sessions I'm viewing that is causing them to not be offloaded.
Any other areas to check to show which sessions are offloaded? Have not had luck in the GUI session browser, either.
Solved! Go to Solution.
@edwin.s.summers.ctr doesn't look like this is actually monitored anymore; it simply happens at the hardware level if it's on.
Note: Some Palo Alto Networks firewalls include a Hardware Offload feature that optimizes the
handling of traffic. Offloaded traffic will not appear in packet captures in either the WebUI or
the CLI. PA-2000 Series, PA-3050, PA-3060, PA-4000 Series, PA-5000 Series, and PA-7000 Series
firewalls all have this feature. In order to guarantee that all packets are available for capture, a
CLI must be run to temporarily disable Hardware Offload. See the following information for
details and disclosures about CPU impact.
you can see that in the l7proc status if it changes to ctd decode bypass:
admin@myNGFW> show session id 6 Session 6 c2s flow: source: 192.168.0.34 [v1-trust] dst: 198.51.100.1 proto: 6 sport: 56987 dport: 22 state: ACTIVE type: FLOW src user: reaper dst user: unknown qos node: ethernet1/1, qos member Qid 0 match src interface: any match src address: ('any ',) ...
ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) tracker stage l7proc : ctd decoder bypass end-reason : unknown
Thanks, reaper! Is this as well as the various values for the 'tracker stage' field documented? I have not been able to find this using Google and Live searches, and just searched the PANOS 7.1 Admin guide without result either. Greatly appreciated.
No, these are not documented. Most of the l7 stages can have multiple meanings, depending on the state and type of your session, your hardware and configuration and require deep-dive debugging to correctly interpret. Trying to properly document these would be messy and confusing (like, 3d flow-chart confusing ;) ), reading the output of the flow/ctd basic is far more meaningful
if you want to learn more, you should look into flow basic (ctd basic, appid basic, etc) here : Getting Started: Flow Basic
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!