Hello To All,
I will create a short summary about how to do basic checks if the palo alto drops or slows down the traffic.
1. First the pcap capture on the drop stage will show if the firewall drops the traffic and after that we check why the firewall drops the traffic. If the issue is slowness doing a pcap capture in transmit and receive state and you can save/merge them to the sae file and compare if there slowness because of the firewall:
For issues with a managment traffic or something like SNMP, DNS, etc. do tcpdump on the managment IP (if you have not changed the dafult settings for the DNS, SNMP or other services to use a data plane interface) as the normal pcap will not work https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS
2. After the pcap and for example if a drop or slowness is confurmed to be because of the firewall use the same capture filter for to check the global counters:
3. If the global counters show a drop because of a policy, do policy trace. If the global counters show that there is routing issue, just do a routing test and if you have PBF, also test it:
4. If the issue is still not known use Flow Basic (flow_basic) with the same pcap filters (it could can utilize the CPU, so have good pcap filters).
5. Also for slowness issues just in case check the DNS resolution, Wildfire, URL filtering database, etc. or the authentication (depends on what you have and what you are using and this are issues on layer 7 content inspection) as they may introduce slowness if the there is network issue between palo alto and the external server it is asking for checks and services:
You can also enable other debugs together with flow basic but this usually is done by the Palo Alto TAC. For example enabling "ctb" will show how palo alto performs the content inspection and url filtering and time the cloud url database replied to the firewall's request for a URL. Other use case that I know is to see the application shift if there is an issue how the Palo Alto changes the matched application by enabling the "appid" debug. The only place where Palo Alto officially mentions some of the extra debug features is for the Clientless VPN troubleshooting https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-clientless-vpn...
It is interesting that also pcap captures/dumps can be done for a palo alto deamon/service/process (the same way debugs are enabled for the deamons if the default log levels don't show enough info) or for application id. Also don't forget to enable pcaps for malware signatures when you see that the firewalls is blocking you as it could real or false positive and it is good to check this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!