This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

packet capturing pa

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

packet capturing pa

Go to solution
sib2017
L4 Transporter

‎03-19-2016 03:13 PM

 

Hi,

in packet capture , what is  actually firewall stage type ? .

Why thers is  rx and tx separate ?

sorry for asking a fuzzy question ?

Thanks

 

 

2 accepted solutions

Accepted Solutions

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to sib2017

‎03-21-2016 02:25 AM

packet capture.png

You can compare receive/transmit times in packet to see how long Palo takes to process.

Disable security profile on the traffic temporarily to see if you see different result.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Go to solution
Brandon_Wertz
L6 Presenter

‎03-22-2016 07:22 AM

@sib2017 Just an FYI...Palo's GUI help is context sensitive so if you go to the 'packet capture' area in monitor then go to help in the top right there, it pops up a window with specific info for the screen you were just at.

 

If you scroll down you'll see there is detailed info for for each of the stages.

 

As the help is conext sensitive you can follow the same process for other areas fo the appliance in the future to provide info on other functions as well.

 

Capture.png

Capture_1.png

View solution in original post

8 REPLIES 8

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎03-19-2016 03:28 PM - edited ‎03-19-2016 03:31 PM

receive stage is captured when firewall gets the packet on ingress interface.

firewall stage is when it is processed by firewall engine.

transmit stage is when packet is sent out from egress interface.

drop stage is when it is dropped at any of those stages.

 

You need diferent stages if you troubleshoot NAT issues for example.

Then it is handy to compare receive and transmit stage to see if your NAT works correctly and changes source/destination IP of outgoing packet.

Same example applies also for troubleshooting SIP traffic issues etc.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
sib2017
L4 Transporter
In response to Raido_Rattameister

‎03-19-2016 04:16 PM

Thanks man ,

You are always helpful . if  pa is in vwire mode , either rx  or tx is enough ?

Thank you again

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to sib2017

‎03-19-2016 04:34 PM

vw mode can throw away packets also.

Lets assume you have zone protection profile to drop fragmented packets.

RX sees them but they are dropped then and nothing is sent out.

Also you apply policies in vw mode also.

 

I usually start only with receive and drop and sometimes transmit.

receive will show received packets from client side and server side.

drop shows if anything was dropped.

 

You might care about firewall stage if you want to compare if packet was thrown away right after it was received or later in the stage.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
sib2017
L4 Transporter
In response to Raido_Rattameister

‎03-20-2016 07:25 AM

Hi,

1 ) PA in vw , qos applied on trust interface and is it good to capturing packet on untrust or trust ?

2 ) I Have a strange issue is like if i download any files it takes very long time .
I don't it is ISP issue or firewall issue .How can i narrow down the issue ?
I just want to make sure palo alto not doing any strange activities ?

below is my topology
core switch -----------trust [PA] untrust---------inside[ASA]outside...WAN ROUTER

Thanks

 

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to sib2017

‎03-21-2016 02:25 AM

packet capture.png

You can compare receive/transmit times in packet to see how long Palo takes to process.

Disable security profile on the traffic temporarily to see if you see different result.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
Brandon_Wertz
L6 Presenter

‎03-22-2016 07:22 AM

@sib2017 Just an FYI...Palo's GUI help is context sensitive so if you go to the 'packet capture' area in monitor then go to help in the top right there, it pops up a window with specific info for the screen you were just at.

 

If you scroll down you'll see there is detailed info for for each of the stages.

 

As the help is conext sensitive you can follow the same process for other areas fo the appliance in the future to provide info on other functions as well.

 

Capture.png

Capture_1.png

Go to solution
sib2017
L4 Transporter
In response to Raido_Rattameister

‎03-30-2016 08:57 PM

Hi,

I am using  assymteric path ( active -active ). So i believe it is very difficult using packet analysis . Actually i have severe  issue like when users are downloding files it  takes much longer time  than expected .How can i verify PA is not doing any abnormal activities 

Thanks

0 Likes Likes

Go to solution
santonic
L6 Presenter
In response to sib2017

‎03-30-2016 11:43 PM

Can you connect a PC directly to ISP and test downloading speed without traffic going through PA?

Do you use a proxy of some sort? Or some other device in your download path?

Try to eliminate devices on path 1 by 1.

 

I guess you already checked data plane CPU and it isn't high?

 

0 Likes Likes
  • 2 accepted solutions
  • 4642 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks