I have WLC and anchor-WLC with PA firewall in between, I have rule allowing EoIP and wlc-mobility APPs with application-default service selected, I don't see on monitor tab any single packet logged, even though I know for sure it is there, I was able to see it through PA CLI with debug filter set(EoIP example packet below):
Packet received at fastpath stage
Packet info: len 118 port 17 interface 264 vsys 1
wqe index 150956 packet 0x0x7f00173ccdc6
Packet decoded dump:
L2: cc:ef:48:37:36:30->00:50:56:a9:38:d2, type 0x0800
IP: 10.10.112.10->10.111.2.10, protocol 97
version 4, ihl 5, tos 0x00, len 100,
id 46, frag_off 0x0000, ttl 254, checksum 40711
L4 binary dump: 16 bytes
Can someone explain why it is not seen on monitor tab ?
Solved! Go to Solution.
- Make sure you are logging this traffic. If you think it hits the default intrazone rule you need to explicitly set it to log traffic.
- If this is a long lasting session, check the session browser to see if you can see it there.
- Try to log at session start as well as session end.
Well, I have an explicit rule for internal WLC and anchor WLC with "cisco-wlc-mobility" and "etherip" app and service default setting, i enabled loggin at the start of the session and at the end of the session. I see all kind of management traffic - ping/ssh/snmp - whatever is allowed on the same rule, but as I said previously I dont see any single packet logged for etherip and udp 16666.
I removed internal WLC from mobility group at anchor WLC, and added it back - to re-establish the traffic flows, so I consequently saw control/data path down and then they went up, still no single packet appeared for etherip nor mobility in monitor tab.. I am lost. For me it looks like a bug, this is 7.1.20 version of PAN-OS. i dont beleive that traffic flow should hit inter-zone rule, because I have specific rule on top of the rulebase, is there a way to find out in CLI which rule hits the traffic flow ?
Have you looked in the "session browser" for the session? It will show which rule is being hit.
Otherwise you can "test" the security policy in CLI by using some of the test commands (https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-cli-quick-start/use-the-cli/test-policy-matches....)
Yes test shows that protocol 97 and udp/16666 matching same rule as other traffic, only other traffic is logged and these types aren't ;). Very odd, especially udp/16666 which is normal udp traffic and should be logged as any other.. I can understand some issues with protocol 97 as it is not that common..
I found 'session browser' and there are both etherip and udp/16666 flows present, I did not figure it out earlier because I was using Panorama and it does not have 'session browser', when I switched to firewall direct I found it.
Probably I do not see etherip/mobility on monitor tab because session never ends/start as it is, or I need to disable mobility group for a much longer time for firewall to remove stale session and add log to monitor tab about started mobility session.
Thanks a lot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!