Packet capture of specific Security Rule?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Packet capture of specific Security Rule?

L2 Linker

I need to confirm what traffic data (specific DNS Request strings inside the packet) is hitting two specific Security rules, so would like to capture just the traffic that is hitting these rules. Is there any way to do this?

I have run the Packet Capture (in,out,firewall, and drop), filtered to port 53 (DNS), but have no way of knowing WHICH rule the traffic is hitting.

I tried setting one rule to "Block", and was able to see the "Drop" capture traffic for that rule, but my clients started screaming due to legitimate DNS requests failing. Can't do that again.....


L5 Sessionator

I think there is no way to specify security rule for packet capturing.

Can you use 'test security-policy-match ...' command instead?

L3 Networker

It is true that you are not able to simply initiate a packet capture with a security rule as the filter criteria.  However, you can do the following:

admin@PA-200> show session all filter rule dns-test


ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])


13580   dns            ACTIVE  FLOW  NS[52160]/trust/17  ([39841])

vsys1                           [53]/untrust  ([53])

12502   dns            ACTIVE  FLOW  NS[49422]/trust/17  ([62992])

vsys1                           [53]/untrust  ([53])

13571   dns            ACTIVE  FLOW  NS[52502]/trust/17  ([15692])

vsys1                           [53]/untrust  ([53])

13590   dns            ACTIVE  FLOW  NS[62261]/trust/17  ([32684])

vsys1                           [53]/untrust  ([53])

admin@PA-200> show session id 13580

Session           13580

        c2s flow:

                source: [trust]


                proto:       17

                sport:       52160           dport:      53

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source: [untrust]


                proto:       17

                sport:       53              dport:      39841

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Thu Jun 20 03:48:34 2013

        timeout                       : 30 sec

        total byte count(c2s)         : 95

        total byte count(s2c)         : 152

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 1

        vsys                          : vsys1

        application                   : dns 

        rule                          : dns-test

        session to be logged at end   : True

        session in session ager       : False

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : NATOUT(vsys1)

        layer7 processing             : enabled

        URL filtering enabled         : True

        URL category                  : any

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/2

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)


"show session all filter rule" will give you the sessions that are currently matching your rule.  You can get the session data by doing "show session id <ID>".

Capturing the actual data will require a packet capture, either on the firewall or another machine.


You can also compared the pcap with traffic log.

Since traffic you look for must be DNS, I would use source port number to identify which packet is corresponding to a specific traffic log.

Traffic log should include rule name as well.


This is the way to add column in traffic log in GUI.

Thanks for the responses. I DO need to see the acual data inside the packets (looking for which DNS request string is hitting each DNS rule), thus the question regarding packet capture.

I thought of doing the PCAP comparison to the traffic log, but we had over 17,000 DNS capture packets under 2 minutes...  even parsing for time-stamps would be a HUGE undertaking...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!