Palo Alto Packet Capture Vs Monitor Vs Session Browser

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Palo Alto Packet Capture Vs Monitor Vs Session Browser

L2 Linker

Hi for a beginner why what does the packet capture enable me to do that the Monitor and Session Browser do not ? If possible please could someone give me a scenario for packet capture that identifies a problem which the other two would not pick up - is it the way traffic conversations are shown ? With the capture obviously you would be able to see a lot more detail about what is inside each packets. 

 

With respect to the Monitor I understand that shows traffic associated with closed or unsuccessful sessions whereas session browser is for existing sessions. Any tips would be appreciated.

1 accepted solution

Accepted Solutions

L6 Presenter

Monitor is the overall logging and inspection tab. Monitor --> Traffic specifically shows you completed traffic sessions with (depending on what you have selected in the Security rules options) the session start and stop times, as well as all the related session attributes (source/destination, region, classification, etc.), and final disposition of the session (end reason, filtering status, etc.). There may be multiple matching entries, as well as packet captures, under a Traffic log as the session progressed to completion.

 

Monitor --> Session Browser, on the other hand, shows you current sessions across the PaloAlto. These are live connections between endpoints that may be further filtered as characteristics of the connection change (i.e. the session might be live and allowed at the moment under one rule, but later could be identified as a different form of traffic and blocked under a different rule). It shows you the live TCP/UDP/etc. at the moment.

 

The Monitor --> Packet Capture allows you to do a live packet capture on the PaloAlto, capturing the actual network packets between endpoints. This is a Wireshark/tcpdump style capture that shows you the raw traffic, not how the PaloAlto categorized/filtered that traffic. Generally you use this when you need to investigate actual packet contents and debug why a particular rule may/may not be acting of traffic as expected.

 

As an example of packet capture, I was having a problem with the PA blocking traffic as being "STUN" packets, when STUN packets were allowed. The Traffic logs showed these identified as STUN, but on a non-standard port number and hence blocked. Using Packet Capture I was able to grab a sample and confirm these were in fact SIP packets that the PaloAlto was mis-identifying as STUN packets

View solution in original post

1 REPLY 1

L6 Presenter

Monitor is the overall logging and inspection tab. Monitor --> Traffic specifically shows you completed traffic sessions with (depending on what you have selected in the Security rules options) the session start and stop times, as well as all the related session attributes (source/destination, region, classification, etc.), and final disposition of the session (end reason, filtering status, etc.). There may be multiple matching entries, as well as packet captures, under a Traffic log as the session progressed to completion.

 

Monitor --> Session Browser, on the other hand, shows you current sessions across the PaloAlto. These are live connections between endpoints that may be further filtered as characteristics of the connection change (i.e. the session might be live and allowed at the moment under one rule, but later could be identified as a different form of traffic and blocked under a different rule). It shows you the live TCP/UDP/etc. at the moment.

 

The Monitor --> Packet Capture allows you to do a live packet capture on the PaloAlto, capturing the actual network packets between endpoints. This is a Wireshark/tcpdump style capture that shows you the raw traffic, not how the PaloAlto categorized/filtered that traffic. Generally you use this when you need to investigate actual packet contents and debug why a particular rule may/may not be acting of traffic as expected.

 

As an example of packet capture, I was having a problem with the PA blocking traffic as being "STUN" packets, when STUN packets were allowed. The Traffic logs showed these identified as STUN, but on a non-standard port number and hence blocked. Using Packet Capture I was able to grab a sample and confirm these were in fact SIP packets that the PaloAlto was mis-identifying as STUN packets

  • 1 accepted solution
  • 1891 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!