06-19-2013 04:45 PM
I need to confirm what traffic data (specific DNS Request strings inside the packet) is hitting two specific Security rules, so would like to capture just the traffic that is hitting these rules. Is there any way to do this?
I have run the Packet Capture (in,out,firewall, and drop), filtered to port 53 (DNS), but have no way of knowing WHICH rule the traffic is hitting.
I tried setting one rule to "Block", and was able to see the "Drop" capture traffic for that rule, but my clients started screaming due to legitimate DNS requests failing. Can't do that again.....
06-19-2013 06:24 PM
I think there is no way to specify security rule for packet capturing.
Can you use 'test security-policy-match ...' command instead?
06-19-2013 08:00 PM
It is true that you are not able to simply initiate a packet capture with a security rule as the filter criteria. However, you can do the following:
admin@PA-200> show session all filter rule dns-test
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
13580 dns ACTIVE FLOW NS 192.168.100.50[52160]/trust/17 (10.19.0.107[39841])
vsys1 10.0.0.246[53]/untrust (10.0.0.246[53])
12502 dns ACTIVE FLOW NS 192.168.100.50[49422]/trust/17 (10.19.0.107[62992])
vsys1 10.0.0.246[53]/untrust (10.0.0.246[53])
13571 dns ACTIVE FLOW NS 192.168.100.50[52502]/trust/17 (10.19.0.107[15692])
vsys1 10.0.0.246[53]/untrust (10.0.0.246[53])
13590 dns ACTIVE FLOW NS 192.168.100.50[62261]/trust/17 (10.19.0.107[32684])
vsys1 10.0.0.246[53]/untrust (10.0.0.246[53])
admin@PA-200> show session id 13580
Session 13580
c2s flow:
source: 192.168.100.50 [trust]
dst: 10.0.0.246
proto: 17
sport: 52160 dport: 53
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.0.0.246 [untrust]
dst: 10.19.0.107
proto: 17
sport: 53 dport: 39841
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Thu Jun 20 03:48:34 2013
timeout : 30 sec
total byte count(c2s) : 95
total byte count(s2c) : 152
layer7 packet count(c2s) : 1
layer7 packet count(s2c) : 1
vsys : vsys1
application : dns
rule : dns-test
session to be logged at end : True
session in session ager : False
session synced from HA peer : False
address/port translation : source + destination
nat-rule : NATOUT(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
admin@PA-200>
"show session all filter rule" will give you the sessions that are currently matching your rule. You can get the session data by doing "show session id <ID>".
Capturing the actual data will require a packet capture, either on the firewall or another machine.
-chadd.
06-19-2013 08:56 PM
You can also compared the pcap with traffic log.
Since traffic you look for must be DNS, I would use source port number to identify which packet is corresponding to a specific traffic log.
Traffic log should include rule name as well.
FYI:
This is the way to add column in traffic log in GUI.
06-20-2013 08:21 AM
Thanks for the responses. I DO need to see the acual data inside the packets (looking for which DNS request string is hitting each DNS rule), thus the question regarding packet capture.
I thought of doing the PCAP comparison to the traffic log, but we had over 17,000 DNS capture packets under 2 minutes... even parsing for time-stamps would be a HUGE undertaking...
06-20-2013 08:59 AM
I found one command that might help you...I hope.
try 'set application dump on rule <rulename> protocol 17 destination-port 53'
you can see green down arrow besides each traffic log after you enter this command
I just mention that if I enter 'set application dump on rule <rulename>', my PAN device somehow collected pcaps for all traffics.
I think only rulename does not work properly.
***Additional Comments***
I confirmed that rulename filter does not work even I specify protocol number and destination number.
This command would not help you.
I apologize for it.
06-23-2013 06:54 PM
Hi,
Even though you have 17000 DNS packet, I assume source port is sequence or randomized so it should be possible to match pcap and traffic log?
Were you not able to identify which traffic log was made with which pcap?
You can use filter on GUI like following.
( port.src eq xxx ) and ( port.dst eq 53 ) and ( app eq dns )
There is filter function on CLI as well.
admin@PA-200> show log traffic
+ action action
+ app app
+ csv-output csv-output
+ direction direction
+ dport dport
+ dst dst
+ dstuser dstuser
+ end-time end-time
+ from from
+ query query
+ receive_time receive_time
+ rule rule
+ sport sport
+ src src
+ srcuser srcuser
+ start-time start-time
+ to to
| Pipe through a command
<Enter> Finish input
I hope this helps.
06-23-2013 07:21 PM
One correction. the following filter should be sufficient.
( port.src eq xxx ) and ( app eq dns )
06-24-2013 08:59 PM
Have you had a chance to review this doc:-
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
