06-06-2013 07:39 PM
Hi All -
Just got my Palo Alto installed last week! So far so good. Hope this is the right place to be posting...
I just got a message from a student that since the firewall install, a game on his Wii U, Monster Hunter, has stopped working. He claims this game works via P2P -- I haven't not looked in to this yet. We do not block P2P, but we use QoS to rate limit it. What's the best way to approach troubleshooting here? I'm assuming Palo Alto won't tell me which traffic is specifically for Monster Hunter.
Open to suggestions...
Thanks!
Max
06-06-2013 07:45 PM
Please navigate to Monitor tab and click on traffic. Now enter the following filter ( addr.src in userip )
Also if you could login into the cli using ssh, run the following command
>show session all filter source (ip in question) and then look at the session i.e >show session id (id)
for example:-
admin@92-PA-3050> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[P
ort])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
56478 telnet ACTIVE FLOW 192.168.192.217[35534]/trust-L3/6 (19
2.168.192.217[35534])
>show session id 56748
Session 56478
c2s flow:
source: 192.168.192.217 [trust-L3]
dst: 10.2.2.1
proto: 6
sport: 35534 dport: 23
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 10.2.2.1 [test]
dst: 192.168.192.217
proto: 6
sport: 23 dport: 35534
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Wed Jun 5 19:09:21 2013
timeout : 432000 sec
time to live : 344073 sec
total byte count(c2s) : 3028
total byte count(s2c) : 0
layer7 packet count(c2s) : 50
layer7 packet count(s2c) : 0
vsys : vsys1
application : telnet
rule : rule1
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/7
session QoS rule : N/A (class 4)
06-07-2013 08:07 PM
Thanks for the reply! This is what I see when I do that. Nothing is coming up as blocked. Everything is being allowed. The unknown-udp entries look suspicious, different ports every time. The CLI commands aren't showing anything currently as he must have this device off -- I'll have to work with him on that. Anything else I can look at?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
