Packet capture of specific Security Rule?

ktm530russ · ‎06-19-2013

I need to confirm what traffic data (specific DNS Request strings inside the packet) is hitting two specific Security rules, so would like to capture just the traffic that is hitting these rules. Is there any way to do this?

I have run the Packet Capture (in,out,firewall, and drop), filtered to port 53 (DNS), but have no way of knowing WHICH rule the traffic is hitting.

I tried setting one rule to "Block", and was able to see the "Drop" capture traffic for that rule, but my clients started screaming due to legitimate DNS requests failing. Can't do that again.....

emr_1 · ‎06-19-2013

I think there is no way to specify security rule for packet capturing.

Can you use 'test security-policy-match ...' command instead?

cchristiansen · ‎06-19-2013

It is true that you are not able to simply initiate a packet capture with a security rule as the filter criteria. However, you can do the following:

admin@PA-200> show session all filter rule dns-test

--------------------------------------------------------------------------------

ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

13580 dns ACTIVE FLOW NS 192.168.100.50[52160]/trust/17 (10.19.0.107[39841])

vsys1 10.0.0.246[53]/untrust (10.0.0.246[53])

12502 dns ACTIVE FLOW NS 192.168.100.50[49422]/trust/17 (10.19.0.107[62992])

vsys1 10.0.0.246[53]/untrust (10.0.0.246[53])

13571 dns ACTIVE FLOW NS 192.168.100.50[52502]/trust/17 (10.19.0.107[15692])

vsys1 10.0.0.246[53]/untrust (10.0.0.246[53])

13590 dns ACTIVE FLOW NS 192.168.100.50[62261]/trust/17 (10.19.0.107[32684])

vsys1 10.0.0.246[53]/untrust (10.0.0.246[53])

admin@PA-200> show session id 13580

Session 13580

c2s flow:

source: 192.168.100.50 [trust]

dst: 10.0.0.246

proto: 17

sport: 52160 dport: 53

state: INIT type: FLOW

src user: unknown

dst user: unknown

s2c flow:

source: 10.0.0.246 [untrust]

dst: 10.19.0.107

proto: 17

sport: 53 dport: 39841

state: INIT type: FLOW

src user: unknown

dst user: unknown

start time : Thu Jun 20 03:48:34 2013

timeout : 30 sec

total byte count(c2s) : 95

total byte count(s2c) : 152

layer7 packet count(c2s) : 1

layer7 packet count(s2c) : 1

vsys : vsys1

application : dns

rule : dns-test

session to be logged at end : True

session in session ager : False

session synced from HA peer : False

address/port translation : source + destination

nat-rule : NATOUT(vsys1)

layer7 processing : enabled

URL filtering enabled : True

URL category : any

session via syn-cookies : False

session terminated on host : False

session traverses tunnel : False

captive portal session : False

ingress interface : ethernet1/2

egress interface : ethernet1/1

session QoS rule : N/A (class 4)

admin@PA-200>

"show session all filter rule" will give you the sessions that are currently matching your rule. You can get the session data by doing "show session id <ID>".

Capturing the actual data will require a packet capture, either on the firewall or another machine.

-chadd.

sunright · ‎06-19-2013

You can also compared the pcap with traffic log.

Since traffic you look for must be DNS, I would use source port number to identify which packet is corresponding to a specific traffic log.

Traffic log should include rule name as well.

FYI:

This is the way to add column in traffic log in GUI.

https://live.paloaltonetworks.com/docs/DOC-2799

ktm530russ · ‎06-20-2013

Thanks for the responses. I DO need to see the acual data inside the packets (looking for which DNS request string is hitting each DNS rule), thus the question regarding packet capture.

I thought of doing the PCAP comparison to the traffic log, but we had over 17,000 DNS capture packets under 2 minutes... even parsing for time-stamps would be a HUGE undertaking...

Packet capture of specific Security Rule?

Packet capture of specific Security Rule?

Show your appreciation!