commands to debug traffic between two host using Palo alto firewall

Reply
Highlighted
L4 Transporter

commands to debug traffic between two host using Palo alto firewall

Can some one help with documentation with running debug  commands on palo alto firewalls.

For example syntax to monitor traffic between two particular host.

Thanks for help in advance.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 | CCIE-SEC-Attempted
Highlighted
L5 Sessionator

Hi Mandar,

You can use following document for detailed description :

How to Run a Packet Capture

You can also run "show session all filter source <ip> destination <ip>" to view the traffic flow through the device. You can narrow it down to zones, ports and application. HTH

L6 Presenter

something more granular but be sure to confirm filter is enabled and to clear the debugging when you're done. This can be intrusive debugging so doing it carefully is highly recommended

Packet Capture, Debug Flow-basic and Counter Commands

Highlighted
L5 Sessionator

Below are the steps that i would take to troubleshoot but be sure to turn off all the debugging after you are done. Since this is CPU intensive and make sure setup filter on traffic that you are interested in debugging.


Hope this helps.
Thanks

Numan

1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:

Navigate to Monitor--Packet Capture

Click 'Manage Filters'

Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )

Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)

2. Setup up the captures

Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)

3. setup the flow basic

debug dataplane packet-diag set log feature flow basic

debug dataplane packet-diag set log feature ctd basic

4. Clear old logs flow basic logs

debug dataplane packet-diag clear log log

5. Enable filters, captures and logs

debug dataplane packet-diag set filter on

debug dataplane packet-diag set capture on

debug dataplane packet-diag set log on

6. open 3 CLI windows

on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)

show counter global filter packet-filter yes delta yes

on the 2nd window run the following command to look at he sessions

show session all filter source <ip address> destination <ip address>

On the 3rd window run the tail for the flow basic

tail follow yes dp-log pan_task_*

7. Now run the test  while it fails .

8. Turn off all the debugging that was enabled

debug dataplane packet-diag set log off

debug dataplane packet-diag set filter off

debug dataplane packet-diag set capture off

9. Aggregate the flow basic logs

CLI command (be sure to do this AFTER disabling the data plane debug logging such as flow basic):

debug dataplane packet-diag aggregate-logs

Highlighted
L2 Linker

Either 'show session all filer source x.x.x.x destination y.y.y.y' or set the filter in the PCAP should give you the ability of checking the traffic running between two specific hosts.

Highlighted
L0 Member

Thanks a Lot.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!