PANOS 4.0.8 - How to determine cause of DROP

cancel
Showing results for 
Search instead for 
Did you mean: 

PANOS 4.0.8 - How to determine cause of DROP

Not applicable

Very basic configuration, an any any rule and a PAT rule for nat... trust and untrust zones and a default route and an internal summary route... what is happening is that from a traffic log perspective its being ALLOWED, from a NAT perspective I can see the session built with two flows for each direction successfully and they go ACTIVE. However, the return traffic never comes back.

What I found when trying to dump pcaps on the box is that the traffic post-nat shows up in the DROP stage. However nothing in the default logs shows any drops at all caused from a policy perspective (again policy is very boilerplate)

Any way I can get more information on what is causing it to end up in DROP? additional dataplane debugs or something?


Thanks,

- Josh

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Hi there,

Drop counters are your friend:

Set a filter to control what traffic is counted

debug dataplane packet-diag set filter match <criteria>

debug dataplane packet-diag set filter on

Show the drop counters (absolute or relative to last time command was run)

show counter global packet-filter yes | match drop

show counter global filter severity drop packet-filter yes delta yes

Cheers,

Kelly

View solution in original post

1 REPLY 1

L4 Transporter

Hi there,

Drop counters are your friend:

Set a filter to control what traffic is counted

debug dataplane packet-diag set filter match <criteria>

debug dataplane packet-diag set filter on

Show the drop counters (absolute or relative to last time command was run)

show counter global packet-filter yes | match drop

show counter global filter severity drop packet-filter yes delta yes

Cheers,

Kelly

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!