Knowledge sharing: Palo Alto checking for drops (rejects ,discards), slowness (latency) and counters using captures, global counters, flow basic etc.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Knowledge sharing: Palo Alto checking for drops (rejects ,discards), slowness (latency) and counters using captures, global counters, flow basic etc.

L6 Presenter

Hello To All,

 

 

I will create a short summary about how to do basic checks if the palo alto drops or slows down the traffic.

 

 

1. First the pcap capture on the drop stage will show if the firewall drops the traffic and after that we check why the firewall drops the traffic. If the issue is slowness doing a pcap capture in transmit and receive state and you can save/merge them to the sae file and compare if there slowness because of the firewall:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

 

 

For issues with a managment traffic or something like SNMP, DNS, etc. do tcpdump on the managment IP (if you have not changed the dafult settings for the DNS, SNMP or other services to use a data plane interface) as the normal pcap will not work https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

 

 

 

 

2. After the pcap and for example if a drop or slowness is confurmed to be because of the firewall use the same capture filter for to check the global counters:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

 

 

 

 

3. If the global counters show a drop because of a policy, do policy trace. If the global counters show that there is routing issue, just do a routing test and if you have PBF, also test it:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYJCA0

 

 

 

 

4. If the issue is still not known use Flow Basic (flow_basic) with the same pcap filters (it could can utilize the CPU, so have good pcap filters).

 

https://palo-alto.fandom.com/wiki/Flow_Basic

 

https://palo-alto.fandom.com/wiki/Troubleshooting

 

 

 

 

 

 

5. Also for slowness issues  just in case check the DNS resolution, Wildfire, URL filtering database, etc. or the authentication (depends on what you have and what you are using and this are issues on layer 7 content inspection) as they may introduce slowness if the there is network issue between palo alto and the external server it is asking for checks and services:

 

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaHCAS

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQcCAK

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configurati...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLs2CAG

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVYCA0

 

 

 

 

Edit:

 

You can also enable other debugs together with flow basic but this usually is done by the Palo Alto TAC. For example enabling "ctb" will show how palo alto performs the content inspection and url filtering and time the cloud url database replied to the firewall's request for a URL. Other use case that I know is to see the application shift if there is an issue how the Palo Alto changes the matched application by enabling the "appid" debug. The only place where Palo Alto officially mentions some of the extra debug features is for the Clientless VPN troubleshooting https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-clientless-vpn...

 

 

NikolayDimitrov_0-1619596411072.png

 

 

2 REPLIES 2

Community Team Member

Thanks for sharing @nikoolayy1  !!

 

Cheers,

-Kiwi

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

It is interesting that also pcap captures/dumps can be done for a palo alto deamon/service/process (the same way debugs are enabled for the deamons if the default log levels don't show enough info) or for application id. Also don't forget to enable pcaps for malware signatures when you see that the firewalls is blocking you as it could real or false positive and it is good to check this.

 

Process:


https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliPCAS


https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

 

App:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS8CAK


https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet-captures/take-an-ap...

  • 8068 Views
  • 2 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!