This document describes what is excluded from packet captures taken on the Palo Alto Networks firewall due to session offloading and how to disable session offloading temporarily to capture all traffic.
Packet captures in PAN-OS are performed strictly in the dataplane CPU on the firewall. During the ingress stage, the firewall performs packet parsing checks and any packets discarded at this step will not be included in the packet capture. Any traffic that is offloaded by the firewall will also not be included in the packet capture. Traffic such as encrypted traffic (SSL/SSH), network protocols (OSPF, BGP, RIP), application overrides, and terminating applications can be offloaded. For more information on session offloading, see: Why and When are Sessions Offloaded?
When troubleshooting an issue that requires the packet capture of all traffic, offloading can be temporarily disabled. Disabling session offload forces all traffic to be processed by the dataplane CPU. Use the following CLI command to temporarily disable offloading from the CLI:
> set session offload no
Warning! Care should be taken before disabling the session offload feature: Disabling offloading will increase the dataplane CPU. If the dataplane CPU is already high, you may want to schedule a maintenance window first. Some types of sessions will never be offloaded, such as ARP, all non-IP traffic, IPSEC, vpn sessions, SYN, FIN, and RST packets. Traffic requiring scanning will be included in the packet capture.
After the packet captures are complete, please make sure to re-enable session offload:
> set session offload yes
The above command "set session offload no" is executed in operational mode and is not persistent: it will not survive a commit or a device reboot. If a manual commit is done, an auto-commit is triggered or if the device is rebooted, the session offload setting reverts back to default settings, which is the enabled state.
To make the settings persistent and survive a commit or reboot, we need to configure it from the configuration mode with the following command:
> configure # set deviceconfig setting session offload no # commit
To revert the changes made from configuration mode, please execute the below commands,
# set deviceconfig setting session offload yes # commit