03-09-2022 02:55 AM
Hi for a beginner why what does the packet capture enable me to do that the Monitor and Session Browser do not ? If possible please could someone give me a scenario for packet capture that identifies a problem which the other two would not pick up - is it the way traffic conversations are shown ? With the capture obviously you would be able to see a lot more detail about what is inside each packets.
With respect to the Monitor I understand that shows traffic associated with closed or unsuccessful sessions whereas session browser is for existing sessions. Any tips would be appreciated.
03-09-2022 07:56 AM - edited 03-09-2022 08:05 AM
Monitor is the overall logging and inspection tab. Monitor --> Traffic specifically shows you completed traffic sessions with (depending on what you have selected in the Security rules options) the session start and stop times, as well as all the related session attributes (source/destination, region, classification, etc.), and final disposition of the session (end reason, filtering status, etc.). There may be multiple matching entries, as well as packet captures, under a Traffic log as the session progressed to completion.
Monitor --> Session Browser, on the other hand, shows you current sessions across the PaloAlto. These are live connections between endpoints that may be further filtered as characteristics of the connection change (i.e. the session might be live and allowed at the moment under one rule, but later could be identified as a different form of traffic and blocked under a different rule). It shows you the live TCP/UDP/etc. at the moment.
The Monitor --> Packet Capture allows you to do a live packet capture on the PaloAlto, capturing the actual network packets between endpoints. This is a Wireshark/tcpdump style capture that shows you the raw traffic, not how the PaloAlto categorized/filtered that traffic. Generally you use this when you need to investigate actual packet contents and debug why a particular rule may/may not be acting of traffic as expected.
As an example of packet capture, I was having a problem with the PA blocking traffic as being "STUN" packets, when STUN packets were allowed. The Traffic logs showed these identified as STUN, but on a non-standard port number and hence blocked. Using Packet Capture I was able to grab a sample and confirm these were in fact SIP packets that the PaloAlto was mis-identifying as STUN packets
03-09-2022 07:56 AM - edited 03-09-2022 08:05 AM
Monitor is the overall logging and inspection tab. Monitor --> Traffic specifically shows you completed traffic sessions with (depending on what you have selected in the Security rules options) the session start and stop times, as well as all the related session attributes (source/destination, region, classification, etc.), and final disposition of the session (end reason, filtering status, etc.). There may be multiple matching entries, as well as packet captures, under a Traffic log as the session progressed to completion.
Monitor --> Session Browser, on the other hand, shows you current sessions across the PaloAlto. These are live connections between endpoints that may be further filtered as characteristics of the connection change (i.e. the session might be live and allowed at the moment under one rule, but later could be identified as a different form of traffic and blocked under a different rule). It shows you the live TCP/UDP/etc. at the moment.
The Monitor --> Packet Capture allows you to do a live packet capture on the PaloAlto, capturing the actual network packets between endpoints. This is a Wireshark/tcpdump style capture that shows you the raw traffic, not how the PaloAlto categorized/filtered that traffic. Generally you use this when you need to investigate actual packet contents and debug why a particular rule may/may not be acting of traffic as expected.
As an example of packet capture, I was having a problem with the PA blocking traffic as being "STUN" packets, when STUN packets were allowed. The Traffic logs showed these identified as STUN, but on a non-standard port number and hence blocked. Using Packet Capture I was able to grab a sample and confirm these were in fact SIP packets that the PaloAlto was mis-identifying as STUN packets
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
