packet-diag flow basic “matched rule index 0”

Reply
Highlighted
L2 Linker

packet-diag flow basic “matched rule index 0”

What does the rule with the index number 0 refer to in the packet-diag flow basic for the security as well as the NAT policy? The id manager does not show a security nor nat rule with an index 0 while the show session shows that the traffic was matching security policy “General-Internet” which is index 7 and NAT policy “Student-NAT-Out” which is index 3

admin@Student-17> less mp-log pan_packet_diag.log

== 2014-03-25 10:00:50.195 +0000 ==

Packet received at ingress stage

Packet info: len 74 port 17 interface 17 vsys 1

  wqe index 153702 packet 0x0x7f0005c04dc6

Packet decoded dump:

L2:     00:50:56:1d:11:17->00:1b:17:f7:7a:11, type 0x0800

IP:     192.168.17.50->8.8.8.8, protocol 1

        version 4, ihl 5, tos 0x00, len 60,

        id 430, frag_off 0x0000, ttl 128, checksum 10583

ICMP:   type 8, code 0, checksum 6107, id 2, seq 13695

Flow lookup, key word0 0x10005357f0002 word1 0

No active flow found, enqueue to create session

== 2014-03-25 10:00:50.195 +0000 ==

Packet received at slowpath stage

Packet info: len 74 port 17 interface 17 vsys 1

  wqe index 153702 packet 0x0x7f0005c04dc6

Packet decoded dump:

L2:     00:50:56:1d:11:17->00:1b:17:f7:7a:11, type 0x0800

IP:     192.168.17.50->8.8.8.8, protocol 1

        version 4, ihl 5, tos 0x00, len 60,

        id 430, frag_off 0x0000, ttl 128, checksum 10583

ICMP:   type 8, code 0, checksum 6107, id 2, seq 13695

Session setup: vsys 1

PBF lookup (vsys 1) with application ping

Session setup: ingress interface ethernet1/2 egress interface ethernet1/1.217 (zone 4)

NAT policy lookup, matched rule index 0

Policy lookup, matched rule index 0

DP0 is selected to process this session.

Allocated new session 25091.

Packet matched vsys 1 NAT rule 'Student-NAT-Out' (index 1),

source translation 192.168.17.50/2 => 172.16.17.1/2

Created session, enqueue to install

== 2014-03-25 10:00:50.196 +0000 ==

Packet received at fastpath stage

Packet info: len 74 port 17 interface 17 vsys 1

  wqe index 153702 packet 0x0x7f0005c04dc6

Packet decoded dump:

L2:     00:50:56:1d:11:17->00:1b:17:f7:7a:11, type 0x0800

IP:     192.168.17.50->8.8.8.8, protocol 1

        version 4, ihl 5, tos 0x00, len 60,

        id 430, frag_off 0x0000, ttl 128, checksum 10583

ICMP:   type 8, code 0, checksum 6107, id 2, seq 13695

Flow fastpath, session 25091

NAT session, run address/port translation

== 2014-03-25 10:00:50.196 +0000 ==

Packet received at forwarding stage

Packet info: len 74 port 17 interface 17 vsys 1

  wqe index 153702 packet 0x0x7f0005c04dc6

Packet decoded dump:

L2:     00:50:56:1d:11:17->00:1b:17:f7:7a:11, type 0x0800

IP:     172.16.17.1->8.8.8.8, protocol 1

        version 4, ihl 5, tos 0x00, len 60,

        id 430, frag_off 0x0000, ttl 128, checksum 62059

ICMP:   type 8, code 0, checksum 6107, id 2, seq 13695

Forwarding lookup, ingress interface 17

L3 mode, virtual-router 3

Route lookup in virtual-router 3, IP 8.8.8.8

Route found, interface ethernet1/1.217, zone 4, nexthop 172.16.17.254

0%Resolve ARP for IP 172.16.17.254 on interface ethernet1/1.217

ARP entry found on interface 256

Transmit packet on port 16

admin@Student-17> debug device-server dump idmgr type security-rule all

ID         Name

---------- --------------------

1          Inbound-FTP-Policy

2          General Internet

3          Block-Known-Bad

4          Log-All

5          Deny Inbound

6          VPN Traffic

7          General-Internet

8          Deny-the-rest

9          Chrome-Policy

10         Protect-All

11         permit all

12         Block Firefox

13         Custom Telnet

14         DoS Testing

15         Remote access

16         SuperBackup

17         SSL

18         DNS

19         ping

20         Facebook

21         LinkedIn

22         Pandora

23         Gmail Chat

24         Gmail

25         Deny All

26         Deezer

27         Filedropper

28         Google Maps

29         Block ping

30         Explicit Deny

31         Block Ping

32         Test

Type: 13 Last id: 33 Mismatch cnt: 0

admin@Student-17> debug device-server dump idmgr type nat-rule all

ID         Name

---------- --------------------

1          Student Source NAT

2          Inbound-FTP-NAT

3          Student-NAT-Out

4          DoS Testing

5          Martin One

6          Martin Two

7          Test

8          Static-NAT

9          DOS

10         15.15.15.15

11         Default

12         RDP-Student1

Type: 14 Last id: 13 Mismatch cnt: 0

admin@Student-17> show session id 25091

Session           25091

        c2s flow:

                source:      192.168.17.50 [Trust-L3]

                dst:         8.8.8.8

                proto:       1

                sport:       2               dport:      63474

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      8.8.8.8 [Untrust-L3]

                dst:         172.16.17.1

                proto:       1

                sport:       63474           dport:      2

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Tue Mar 25 23:57:42 2014

        timeout                       : 6 sec

        total byte count(c2s)         : 74

        total byte count(s2c)         : 78

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 1

        vsys                          : vsys1

        application                   : ping

        rule                          : General-Internet

        session to be logged at end   : True

        session in session ager       : False

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : Student-NAT-Out(vsys1)

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1.217

        session QoS rule              : N/A (class 4)

        tracker stage firewall        : Aged out

L3 Networker

Re: packet-diag flow basic “matched rule index 0”

The reason for the discrepancy is due to the difference between A) the totality of rules that the ID manager tracks and the subset of rules that are in the current running configuration and B) the ID manager starting with "1" and the assessment of the the running configuration by flow basic starting at "0". 

 

Thus, although the ID manager is tracking "General-Interest" as index 7, the current running configuration does not include any of the rules from indexes 1-6. "General-Interest" is the first rule in the running configuration. And because the numbering reported based on the running configuration starts at 0, instead of one, "0" is the index of the General_Interest rule in the running-configuration. 

 

The same story applies to the NAT rule Student-NAT-Out. It's likely the only NAT rule running. The prior rules were created during deployment and replaced during testing. Student-NAT-Out is now the first rule listed in the running configuration, and the first number is 0.

 

To examine the current running configuration with some effeciency, see: 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decipher-Index-Numbers-in-Flow-Basic...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!