How to setup pan to inspect/monitor wireless traffic

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

How to setup pan to inspect/monitor wireless traffic

Not applicable

I am currently running a PA-500 in IPS mode and is setup as a VWire behind my ASA. I have an environment that consist of a Cisco wireless controller and APs. How do I monitor my wireless traffic or better yet how do i setup policies for this?

By the way I had a conversation with support this morning and it went no where.


Not applicable

My question has not been answered yet


I think part of what you are asking is really a professional services design question as opposed to a configuration issue.

As far as monitoring your wireless traffic, unless the traffic crosses the wire and passes through either a switch or the PA-500 it won't see the traffic - so any wireless to wireless traffic will not be seen unless you are able to span that traffic out to the PA-500.

Hope that is of some help


Your question is rather broad. Could you give us some more specifics about your implementation?

Are you going to allow all traffic bidirectionally? If not what applications will you allow and in which direction?

Do you need to identify users and map them to IP addresses?

I assume you will be implementing security profiles to block viruses, malware, spyware and attempts to exploit vulnerabilities. Please confirm if you plan to do this?

Do you plan to implement file blocking?

Will you implement data filtering?

Are you going to implement URL filtering? (requires a license)



What I would like to do is create a vwire for the traffic from the controller to the core switch. My problem is that, in doing so traffic is block without any policie setting. How can I set this up?

The anwser to your questions are yes and yes. I would like to setup a vwire or layer 3 interface (if needed) to map ip to users..ect...

Could you please post a screengrab of your security policies?

Once I see that I can give you some specific guidance on most of the questions that you have.




Here is a link to an older configuration document on how to set up a Virtual Wire evaluation

The core concepts have not changed.

You will need a set of policies to pass traffic between the interfaces - the simplest are

1. Zone 1 to Zone 2 allow any address to any application and services

2. Zone 2 to Zone 1 allow any address to any application and services

You can add complexity with more rules as you go.

Hope that helps



1. setup vwire on ethernet0/5 and ethernet0/6 with (both) trusted interface

2. no policies where applied to either interface

3. from the lan I could not browse to controller nor see broadcast SSIDs

P -

You will still need to configure a trust to trust rule. Traffic passing between interfaces on a Palo Alto Firewall still needs to have zone relative rules to allow the traffic to pass.

Since you do not have a security policy from trust to trust, no traffic is passing.


Will let you know the outcome of this soon, thank you.

  • 10 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!