packet capturing pa

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

packet capturing pa

L4 Transporter

 

Hi,

in packet capture , what is  actually firewall stage type ? .

Why thers is  rx and tx separate ?

sorry for asking a fuzzy question ?

Thanks

 

 

2 accepted solutions

Accepted Solutions

packet capture.png

You can compare receive/transmit times in packet to see how long Palo takes to process.

Disable security profile on the traffic temporarily to see if you see different result.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

L6 Presenter

@sib2017 Just an FYI...Palo's GUI help is context sensitive so if you go to the 'packet capture' area in monitor then go to help in the top right there, it pops up a window with specific info for the screen you were just at.

 

If you scroll down you'll see there is detailed info for for each of the stages.

 

As the help is conext sensitive you can follow the same process for other areas fo the appliance in the future to provide info on other functions as well.

 

Capture.png

Capture_1.png

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

receive stage is captured when firewall gets the packet on ingress interface.

firewall stage is when it is processed by firewall engine.

transmit stage is when packet is sent out from egress interface.

drop stage is when it is dropped at any of those stages.

 

You need diferent stages if you troubleshoot NAT issues for example.

Then it is handy to compare receive and transmit stage to see if your NAT works correctly and changes source/destination IP of outgoing packet.

Same example applies also for troubleshooting SIP traffic issues etc.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks man ,

You are always helpful . if  pa is in vwire mode , either rx  or tx is enough ?

Thank you again

 

vw mode can throw away packets also.

Lets assume you have zone protection profile to drop fragmented packets.

RX sees them but they are dropped then and nothing is sent out.

Also you apply policies in vw mode also.

 

I usually start only with receive and drop and sometimes transmit.

receive will show received packets from client side and server side.

drop shows if anything was dropped.

 

You might care about firewall stage if you want to compare if packet was thrown away right after it was received or later in the stage.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi,

1 ) PA in vw , qos applied on trust interface and is it good to capturing packet on untrust or trust ?

2 ) I Have a strange issue is like if i download any files it takes very long time .
I don't it is ISP issue or firewall issue .How can i narrow down the issue ?
I just want to make sure palo alto not doing any strange activities ?

below is my topology
core switch -----------trust [PA] untrust---------inside[ASA]outside...WAN ROUTER

Thanks

 

 

packet capture.png

You can compare receive/transmit times in packet to see how long Palo takes to process.

Disable security profile on the traffic temporarily to see if you see different result.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L6 Presenter

@sib2017 Just an FYI...Palo's GUI help is context sensitive so if you go to the 'packet capture' area in monitor then go to help in the top right there, it pops up a window with specific info for the screen you were just at.

 

If you scroll down you'll see there is detailed info for for each of the stages.

 

As the help is conext sensitive you can follow the same process for other areas fo the appliance in the future to provide info on other functions as well.

 

Capture.png

Capture_1.png

Hi,

I am using  assymteric path ( active -active ). So i believe it is very difficult using packet analysis . Actually i have severe  issue like when users are downloding files it  takes much longer time  than expected .How can i verify PA is not doing any abnormal activities 

Thanks

Can you connect a PC directly to ISP and test downloading speed without traffic going through PA?

Do you use a proxy of some sort? Or some other device in your download path?

Try to eliminate devices on path 1 by 1.

 

I guess you already checked data plane CPU and it isn't high?

 

  • 2 accepted solutions
  • 5095 Views
  • 8 replies
  • 1 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!