PAN-88671

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN-88671

L4 Transporter

Hello,

 

In PANOS 8.0.8 release,  now can disable or enable the L4 checksum checking.

 

How do I check if my 5200 firewall L4 checksum is enabled or disabled?

 

How do I check if traffic is dropped due the L4 checksum?

 

Thanks,

 

E

6 REPLIES 6

Cyber Elite
Cyber Elite

 

enabled
admin@PA-5250> show system state | match l4
cfg.hw.fe100: { 'cfg_mode': 4, 'l4_chk_sum': 1, 'usecase': 1, 'v4_v6_choice': 2, }

disabled
admin@PA-5250> show system state | match l4
cfg.hw.fe100: { 'cfg_mode': 4, 'l4_chk_sum': 0, 'usecase': 1, 'v4_v6_choice': 2, }

 

these counters will increment when the firewall discards packets: :flow_fpga_rcv_igr_L4CHKSUMERR

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper,

 

I don't see this counter increased (or listed when I run show counter global filter delta yes packet-filter yes ) until I have the pre-parse match enabled.

 

 

 

Then I would think it likely no packets are being discarded by this check in the first place

 

are you seeing this counter pop up: flow_fpga_ingress_exception_err

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

None of that counter as well, flow_fpga_ingress_exception_err

 

TAC and I compare the packet captures on the firewall vs on the span port from the switch below the firewall.  Packets are getting dropped by the firewall.  The counters mentioned were not showing up until you have pre-parse match enabled.  

 

 

Hi reaper,

 

Could you please tell me when the counter : flow_fpga_ingress_exception_err pop up ? 

 

Many thanks ,

Kairm

hi @Karim.Benyelloul

 

thats a bit of an open ended question as i cannot tell you wjhen exactly that counter will pop up, it will be part of a larger set of symptoms rather than a 'this counter increments when x is happening'

 

it is counted when an error occurs when the fpga tries to intake a packet, which can happen due to different reasons

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3861 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!