Traffic Monitor Filter Basics

cancel
Showing results for 
Search instead for 
Did you mean: 

Traffic Monitor Filter Basics

L1 Bithead
  1. PURPOSE

The purpose of this document is to demonstrate several methods of filtering and looking for specific types of traffic on the Palo Alto Firewalls. They are broken down into different areas such as host, zone, port, date/time, categories. At the end I have placed just a couple of examples of combining the various search filters together for more comprehensive searching.

There are many different ways to do filters, and this is just a couple of basic ones to get the juices flowing.

Enjoy

 

  1. HOST TRAFFIC FILTER EXAMPLES

     FROM HOST a.a.a.a

          (addr.src in a.a.a.a)

          example: (addr.src in 1.1.1.1) 

          Explanation: this will show all traffic coming from host ip address that matches 1.1.1.1 (addr.src in a.a.a.a)

 

     TO HOST b.b.b.b

          (addr.dst in b.b.b.b)

          example: (addr.dst in 2.2.2.2) 

          Explanation: this will show all traffic with a destination address of a host that matches 2.2.2.2

 

     FROM HOST a.a.a.a TO HOST b.b.b.b

          (addr.src in a.a.a.a) and (addr.dst in b.b.b.b)

          example: (addr.src in 1.1.1.1) and (addr.dst in 2.2.2.2)

          Explanation: this will show all traffic coming from a host with an ip address of 1.1.1.1 and going to a host

               destination address of 2.2.2.2

 

     TO HOST RANGE

          NOTE: You cannot specify an actual but can use CIDR notation to specify a network range of addresses

          (addr.src in a.a.a.a/CIDR)

          example:  (addr.src in 10.10.10.2/30)

          Expanation:  this will show all traffic coming from addresses ranging from 10.10.10.1 - 10.10.10.3.

 

2.  ZONE TRAFFIC FILTER EXAMPLES

 

     FROM ZONE zone_a

          (zone.src eq zone_a)

          example: (zone.src eq PROTECT)

          Explanation: this will show all traffic coming from the PROTECT zone

 

     TO ZONE zone_b

          (zone.dst eq zone_b)

          example: (zone.dst eq OUTSIDE)

          Explanation: this will show all traffic going out the OUTSIDE zone

 

     FROM ZONE zone_a TO ZONE zone_b

          (zone.src eq zone_a) and (zone.dst eq zone_b)

          example: (zone.src eq PROTECT) and (zone.dst eq OUTSIDE)

          Explanation: this will show all traffic traveling from the PROTECT zone and going out the OUTSIDE zone

 

3.  PORT TRAFFIC FILTER EXAMPLES

 

     FROM PORT aa

          (port.src eq aa)

          example: (port.src eq 22)

          Explanation: this will show all traffic traveling from source port 22

 

     TO PORT aa

          (port.dst eq bb)

          example: (port.dst eq 25)

          Explanation: this will show all traffic traveling to destination port 25

 

     FROM PORT aa TO PORT bb

          (port.src eq aa) and (port.dst eq bb)

          example: (port.src eq 23459) and (port.dst eq 22)

          Explanation: this will show all traffic traveling from source port 23459 and traveling to destination port 22

 

     FROM ALL PORTS LESS THAN OR EQUAL TO PORT aa

          (port.src leq aa)

          example: (port.src leq 22)

          Explanation: this will show all traffic traveling from source ports 1-22

 

     FROM ALL PORTS GREATER THAN OR EQUAL TO PORT aa

          (port.src geq aa)

          example: (port.src geq 1024)

          Explanation: this will show all traffic traveling from source ports 1024 - 65535

 

     TO ALL PORTS LESS THAN OR EQUAL TO PORT aa

          (port.dst leq aa)

          example: (port.dst leq 1024)

          Explanation: this will show all traffic traveling to destination ports 1-1024

 

     TO ALL PORTS GREATER THAN OR EQUAL TO PORT aa

          (port.dst geq aa)

          example: (port.dst geq 1024)

          Explanation: this will show all traffic traveling to destination ports 1024-65535

 

     FROM PORT RANGE aa THROUGH bb

          (port.src geq aa) and (port.src leq bb)

          example: (port.src geq 20) and (port.src leq 53)

          Explanation: this will show all traffic traveling from source port range 20-53

 

     TO PORT RANGE aa THROUGH bb

          (port.dst geq aa) and (port.dst leq bb)

          example: (port.dst geq 1024) and (port.dst leq 13002)

          Explanation: this will show all traffic traveling to destination ports 1024 - 13002

 

4.  DATE/TIME TRAFFIC FILTER EXAMPLES

 

     ALL TRAFFIC FOR A SPECIFIC DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time eq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time eq '2015/08/31 08:30:00')

          Explanation: this will show all traffic that was received on August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED ON OR BEFORE THE DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time leq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time leq '2015/08/31 08:30:00')

          Explanation: this will show all traffic that was received on or before August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED ON OR AFTER THE DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time geq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time geq '2015/08/31 08:30:00')

          Explanation: this will show all traffic that was received on or after August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED BETWEEN THE DATE-TIME RANGE OF yyyy/mm/dd hh:mm:ss and YYYY/MM/DD

     HH:MM:SS

          (receive_time geq 'yyyy/mm/dd hh:mm:ss') and (receive_time leq 'YYYY/MM/DD HH:MM:SS')

          example: (receive_time geq '2015/08/30 08:30:00') and (receive_time leq '2015/08/31 01:25:00')

          Explanation: this will show all traffic that was received between August 30, 2015 8:30am and August 31, 2015

               01:25am

5.  INTERFACE TRAFFIC FILTER EXAMPLES

 

     ALL TRAFFIC INBOUND ON INTERFACE interface1/x

          (interface.src eq 'ethernet1/x')

          example: (interface.src eq 'ethernet1/2')

          Explanation: this will show all traffic that was received on the PA Firewall interface Ethernet 1/2

 

     ALL TRAFFIC OUTBOUND ON INTERFACE interface1/x

          (interface.src eq 'ethernet1/x')

          example: (interface.dst eq 'ethernet1/5')

          Explanation: this will show all traffic that was sent out on the PA Firewall interface Ethernet 1/5

 

6.  ALLOWED/DENIED TRAFFIC FILTER EXAMPLES

 

     ALL TRAFFIC THAT HAS BEEN ALLOWED BY THE FIREWALL RULES

          (action eq allow)

          OR

         (action neq deny)

          example: (action eq allow)

          Explanation: this will show all traffic that has been allowed by the firewall rules.  By placing the letter 'n' in front of

               'eq' it makes it 'not equal to' so anything not equal to deny will be displayed, which is any allowed traffic.

 

     ALL TRAFFIC THAT HAS BEEN DENIED BY THE FIREWALL RULES

          (action eq deny)

          OR

         (action neq allow)

          example: (action eq deny)

          Explanation: this will show all traffic that has been denied by the firewall rules.  By placing the letter 'n' in front of

               'eq' it makes it 'not equal to' so anything not equal to allow will be displayed, which is any denied traffic.

 

7.  COMBINING TRAFFIC FILTER EXAMPLES

 

     ALL TRAFFIC FROM ZONE OUTSIDE AND NETWORK 10.10.10.0/24 TO HOST ADDRESS 20.20.20.21 IN THE

     PROTECT ZONE:

          (zone.src eq OUTSIDE) and (addr.src in 10.10.10.0/24) and (addr.dst in 20.20.20.21) and (zone.dst eq PROTECT)

 

     ALL TRAFFIC FROM HOST 1.2.3.4 TO HOST 5.6.7.8 FOR THE TIME RANGE 8/30-31/2015

          (addr.src in 1.2.3.4) and (addr.dst in 5.6.7.8) and (receive_time geq '2015/08/30 00:00:00') and

          (receive_time leq '2015/08/31 23:59:59')

 

 

 

10 REPLIES 10

L1 Bithead

hello everyone, anyone know, how this filter works (addr.dst notin 10.1.1.1) and (addr.dst notin 10.1.1.2) and (addr.dst notin 10.1.1.4), I don't understand this word "notin", it exists any wabsite to review filters, more advanced and detailed. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!