debug flow does not show NAT and threat related drop information

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

debug flow does not show NAT and threat related drop information

L4 Transporter

Hello

 

One of our proxy server was not able to go to internet. The problem I later found that NAT was not configured for that proxy server.

 

To troubleshoot the issue, I just enabled debug flow for that proxy using filters but output of debug was not showing any information related to NAT? It was just showing route lookup and policy lookup is fine.

 

My question is how to get NAT related information OR threat related information (like traffic drop due to IPS signature match) in debug flow?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

here's a good starter : Getting Started: Flow Basic

 

if you set flow basic

> debug dataplane packet-diag set log feature flow basic 

you will capture the basic flow, so outbound and inbound packets, including nat

you mentioned NAT was not configured, so that would also mean flow basic will not return NAT properties

 

for additional information regarding your flow, you will need to enable different log features

 

admin@myNGFW> debug dataplane packet-diag set log feature 
> all        all 
> appid      appid 
> cfg        cfg 
> ctd        ctd 
> flow       flow 
> misc       misc 
> module     module 
> pow        pow 
> proxy      proxy 
> ssl        ssl 
> tcp        tcp 
> tunnel     tunnel 
> url_trie   url_trie 
> zip        zip 

so for threat information you would need to enable the 'ctd basic' feature and for appid the 'appid basic' etc.

 

beware that the more features you enable, the noisier the output log will be and the more resources will be required from the dataplane to capture all this information. you will want to set VERY strict filters and keep a close eye on the dataplane CPU usage

> show running resource-monitor second
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

here's a good starter : Getting Started: Flow Basic

 

if you set flow basic

> debug dataplane packet-diag set log feature flow basic 

you will capture the basic flow, so outbound and inbound packets, including nat

you mentioned NAT was not configured, so that would also mean flow basic will not return NAT properties

 

for additional information regarding your flow, you will need to enable different log features

 

admin@myNGFW> debug dataplane packet-diag set log feature 
> all        all 
> appid      appid 
> cfg        cfg 
> ctd        ctd 
> flow       flow 
> misc       misc 
> module     module 
> pow        pow 
> proxy      proxy 
> ssl        ssl 
> tcp        tcp 
> tunnel     tunnel 
> url_trie   url_trie 
> zip        zip 

so for threat information you would need to enable the 'ctd basic' feature and for appid the 'appid basic' etc.

 

beware that the more features you enable, the noisier the output log will be and the more resources will be required from the dataplane to capture all this information. you will want to set VERY strict filters and keep a close eye on the dataplane CPU usage

> show running resource-monitor second
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks !

Hey reaper do you know any document that explains those diferent flow options in more detail?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

nothing comprehensive... i'll add this to my todo list 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4167 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!