Routing through same interface

L5 Sessionator

You can do packet capture in GUI with apropriate filters and look at what is cpatured in drop stage of processing.


You can also monitor global counters, but here you will just see counter increasing and not which packet was actually dropped.


From CLI:

show counter global name tcp_drop_packet


And if you want to turn off asymetric check on WHOLE PA appliance for all zones:


set deviceconfig setting tcp asymmetric-path bypass


But if i understand correctly you already did that?

L7 Applicator

Please check out this article regarding packetcaptures :) Getting Started: Packet Capture


Please be very careful with the asymmetric-path configuration as it could open up unexpected avenues of attack : sessions bypassed this way will not be L4-L7 scanned by appID/contentID and could contain malicious payload you will not be able to identify, this setting is global so could also impact packets coming from untrusted networks.


For more information regarding the impact of the setting: Palo Alto Networks TCP Settings and Counters

Tom Piens -
Like my answer? check out my book!
L2 Linker

thanks guys.


I thought about it and i came to the conclusion that the Palo is slow already as it is, if i even am to add a NAT to translate WITHIN the LAN every packet to another internal segment, it will catch fire.


I found an article that explains how to create a zone protection and i will apply on the trust zone only so to avoid enabling the bypass globally, and in the zone protection to avoid dropping traffic because of the syn sequential number problem


thanks to all pointing in the right direction


L5 Sessionator

Palo Alto is slow? You have obviously never tried firewalls from other manufacturers :)

L7 Applicator

also, any latency you might experience is purely the management plane, the dataplane has it's own set of cpu/memory/... and is quite fast



you can check available resources for both planes with these commands:


> show running resource-monitor

> show system resources

please consider going with the NAT option, I promise your firewall won't catch fire :)


Tom Piens -
Like my answer? check out my book!
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!