cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Routing through same interface

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
santonic
L5 Sessionator
‎08-21-2016 11:42 PM
‎08-21-2016 11:42 PM

You can do packet capture in GUI with apropriate filters and look at what is cpatured in drop stage of processing.

 

You can also monitor global counters, but here you will just see counter increasing and not which packet was actually dropped.

 

From CLI:

show counter global name tcp_drop_packet

 

And if you want to turn off asymetric check on WHOLE PA appliance for all zones:

configure

set deviceconfig setting tcp asymmetric-path bypass

 

But if i understand correctly you already did that?

0 Likes
Reply
reaper
L7 Applicator
‎08-22-2016 01:27 AM
‎08-22-2016 01:27 AM

Please check out this article regarding packetcaptures :) Getting Started: Packet Capture

 

Please be very careful with the asymmetric-path configuration as it could open up unexpected avenues of attack : sessions bypassed this way will not be L4-L7 scanned by appID/contentID and could contain malicious payload you will not be able to identify, this setting is global so could also impact packets coming from untrusted networks.

 

For more information regarding the impact of the setting: Palo Alto Networks TCP Settings and Counters

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Reply
myrdin
L2 Linker
‎08-22-2016 08:55 PM
‎08-22-2016 08:55 PM

thanks guys.

 

I thought about it and i came to the conclusion that the Palo is slow already as it is, if i even am to add a NAT to translate WITHIN the LAN every packet to another internal segment, it will catch fire.

 

I found an article that explains how to create a zone protection and i will apply on the trust zone only so to avoid enabling the bypass globally, and in the zone protection to avoid dropping traffic because of the syn sequential number problem

 

thanks to all pointing in the right direction

 

0 Likes
Reply
santonic
L5 Sessionator
‎08-22-2016 11:09 PM
‎08-22-2016 11:09 PM

Palo Alto is slow? You have obviously never tried firewalls from other manufacturers :)

Reply
reaper
L7 Applicator
‎08-23-2016 12:10 AM
‎08-23-2016 12:10 AM

also, any latency you might experience is purely the management plane, the dataplane has it's own set of cpu/memory/... and is quite fast

 

 

you can check available resources for both planes with these commands:

 

Dataplane
> show running resource-monitor

Managementplane
> show system resources

please consider going with the NAT option, I promise your firewall won't catch fire :)

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks