08-31-2015 01:02 PM
The purpose of this document is to demonstrate several methods of filtering and looking for specific types of traffic on the Palo Alto Firewalls. They are broken down into different areas such as host, zone, port, date/time, categories. At the end I have placed just a couple of examples of combining the various search filters together for more comprehensive searching.
There are many different ways to do filters, and this is just a couple of basic ones to get the juices flowing.
Enjoy
FROM HOST a.a.a.a
(addr.src in a.a.a.a)
example: (addr.src in 1.1.1.1)
Explanation: this will show all traffic coming from host ip address that matches 1.1.1.1 (addr.src in a.a.a.a)
TO HOST b.b.b.b
(addr.dst in b.b.b.b)
example: (addr.dst in 2.2.2.2)
Explanation: this will show all traffic with a destination address of a host that matches 2.2.2.2
FROM HOST a.a.a.a TO HOST b.b.b.b
(addr.src in a.a.a.a) and (addr.dst in b.b.b.b)
example: (addr.src in 1.1.1.1) and (addr.dst in 2.2.2.2)
Explanation: this will show all traffic coming from a host with an ip address of 1.1.1.1 and going to a host
destination address of 2.2.2.2
TO HOST RANGE
NOTE: You cannot specify an actual but can use CIDR notation to specify a network range of addresses
(addr.src in a.a.a.a/CIDR)
example: (addr.src in 10.10.10.2/30)
Expanation: this will show all traffic coming from addresses ranging from 10.10.10.1 - 10.10.10.3.
2. ZONE TRAFFIC FILTER EXAMPLES
FROM ZONE zone_a
(zone.src eq zone_a)
example: (zone.src eq PROTECT)
Explanation: this will show all traffic coming from the PROTECT zone
TO ZONE zone_b
(zone.dst eq zone_b)
example: (zone.dst eq OUTSIDE)
Explanation: this will show all traffic going out the OUTSIDE zone
FROM ZONE zone_a TO ZONE zone_b
(zone.src eq zone_a) and (zone.dst eq zone_b)
example: (zone.src eq PROTECT) and (zone.dst eq OUTSIDE)
Explanation: this will show all traffic traveling from the PROTECT zone and going out the OUTSIDE zone
3. PORT TRAFFIC FILTER EXAMPLES
FROM PORT aa
(port.src eq aa)
example: (port.src eq 22)
Explanation: this will show all traffic traveling from source port 22
TO PORT aa
(port.dst eq bb)
example: (port.dst eq 25)
Explanation: this will show all traffic traveling to destination port 25
FROM PORT aa TO PORT bb
(port.src eq aa) and (port.dst eq bb)
example: (port.src eq 23459) and (port.dst eq 22)
Explanation: this will show all traffic traveling from source port 23459 and traveling to destination port 22
FROM ALL PORTS LESS THAN OR EQUAL TO PORT aa
(port.src leq aa)
example: (port.src leq 22)
Explanation: this will show all traffic traveling from source ports 1-22
FROM ALL PORTS GREATER THAN OR EQUAL TO PORT aa
(port.src geq aa)
example: (port.src geq 1024)
Explanation: this will show all traffic traveling from source ports 1024 - 65535
TO ALL PORTS LESS THAN OR EQUAL TO PORT aa
(port.dst leq aa)
example: (port.dst leq 1024)
Explanation: this will show all traffic traveling to destination ports 1-1024
TO ALL PORTS GREATER THAN OR EQUAL TO PORT aa
(port.dst geq aa)
example: (port.dst geq 1024)
Explanation: this will show all traffic traveling to destination ports 1024-65535
FROM PORT RANGE aa THROUGH bb
(port.src geq aa) and (port.src leq bb)
example: (port.src geq 20) and (port.src leq 53)
Explanation: this will show all traffic traveling from source port range 20-53
TO PORT RANGE aa THROUGH bb
(port.dst geq aa) and (port.dst leq bb)
example: (port.dst geq 1024) and (port.dst leq 13002)
Explanation: this will show all traffic traveling to destination ports 1024 - 13002
4. DATE/TIME TRAFFIC FILTER EXAMPLES
ALL TRAFFIC FOR A SPECIFIC DATE yyyy/mm/dd AND TIME hh:mm:ss
(receive_time eq 'yyyy/mm/dd hh:mm:ss')
example: (receive_time eq '2015/08/31 08:30:00')
Explanation: this will show all traffic that was received on August 31, 2015 at 8:30am
ALL TRAFFIC RECEIVED ON OR BEFORE THE DATE yyyy/mm/dd AND TIME hh:mm:ss
(receive_time leq 'yyyy/mm/dd hh:mm:ss')
example: (receive_time leq '2015/08/31 08:30:00')
Explanation: this will show all traffic that was received on or before August 31, 2015 at 8:30am
ALL TRAFFIC RECEIVED ON OR AFTER THE DATE yyyy/mm/dd AND TIME hh:mm:ss
(receive_time geq 'yyyy/mm/dd hh:mm:ss')
example: (receive_time geq '2015/08/31 08:30:00')
Explanation: this will show all traffic that was received on or after August 31, 2015 at 8:30am
ALL TRAFFIC RECEIVED BETWEEN THE DATE-TIME RANGE OF yyyy/mm/dd hh:mm:ss and YYYY/MM/DD
HH:MM:SS
(receive_time geq 'yyyy/mm/dd hh:mm:ss') and (receive_time leq 'YYYY/MM/DD HH:MM:SS')
example: (receive_time geq '2015/08/30 08:30:00') and (receive_time leq '2015/08/31 01:25:00')
Explanation: this will show all traffic that was received between August 30, 2015 8:30am and August 31, 2015
01:25am
5. INTERFACE TRAFFIC FILTER EXAMPLES
ALL TRAFFIC INBOUND ON INTERFACE interface1/x
(interface.src eq 'ethernet1/x')
example: (interface.src eq 'ethernet1/2')
Explanation: this will show all traffic that was received on the PA Firewall interface Ethernet 1/2
ALL TRAFFIC OUTBOUND ON INTERFACE interface1/x
(interface.src eq 'ethernet1/x')
example: (interface.dst eq 'ethernet1/5')
Explanation: this will show all traffic that was sent out on the PA Firewall interface Ethernet 1/5
6. ALLOWED/DENIED TRAFFIC FILTER EXAMPLES
ALL TRAFFIC THAT HAS BEEN ALLOWED BY THE FIREWALL RULES
(action eq allow)
OR
(action neq deny)
example: (action eq allow)
Explanation: this will show all traffic that has been allowed by the firewall rules. By placing the letter 'n' in front of
'eq' it makes it 'not equal to' so anything not equal to deny will be displayed, which is any allowed traffic.
ALL TRAFFIC THAT HAS BEEN DENIED BY THE FIREWALL RULES
(action eq deny)
OR
(action neq allow)
example: (action eq deny)
Explanation: this will show all traffic that has been denied by the firewall rules. By placing the letter 'n' in front of
'eq' it makes it 'not equal to' so anything not equal to allow will be displayed, which is any denied traffic.
7. COMBINING TRAFFIC FILTER EXAMPLES
ALL TRAFFIC FROM ZONE OUTSIDE AND NETWORK 10.10.10.0/24 TO HOST ADDRESS 20.20.20.21 IN THE
PROTECT ZONE:
(zone.src eq OUTSIDE) and (addr.src in 10.10.10.0/24) and (addr.dst in 20.20.20.21) and (zone.dst eq PROTECT)
ALL TRAFFIC FROM HOST 1.2.3.4 TO HOST 5.6.7.8 FOR THE TIME RANGE 8/30-31/2015
(addr.src in 1.2.3.4) and (addr.dst in 5.6.7.8) and (receive_time geq '2015/08/30 00:00:00') and
(receive_time leq '2015/08/31 23:59:59')
09-01-2015 01:20 AM
Hi Henry,
thanks for the contribution.
One I find useful that is not in the list above is an alteration of your filters in one simple thing - any traffic from or to the object (host, port, zone...) can be selected by using ( addr eq a.a.a.a ) or ( port eq aa ) or ( zone eq aa)
This one is useful to quickly review all traffic to a single address if you are not completely certain what is it you are looking for, but just want to see generally what does that host/port/zone communicate with.
Of course, sometimes it is also easy to combine all of the above you listed to pin-point some traffic, but I don't think that needs additional explanation 🙂
Thanks again, regards
Luciano
09-01-2015 03:23 AM
Nice collection.
Another hint for new users is to simply click on a listing type value (like source address) in the monitor logs.
This will add a filter correctly formated for that specific value.
You can then edit the value to be the one you are looking for.
This way you don't have to memorize the keywords and formats.
You can continue this way to build a mulitple filter with different value types as well.
09-01-2015 06:22 AM
Great additional information! I have learned most of what I do based on what I do on a day-to-day tasking. I will add that to my local document I have running here at work!
Thanks!
Glenn
09-01-2015 06:26 AM
Very true! That is how I first learned how to do things. I then started wanting to be able to learn more comprehensive filters like searching for traffic for a specific date/time range using leq and geq. I mainly typed this up for new people coming into our group don't have the Palo Alto experience and the courses don't really walk people through filters as detailed as desired. Most people can pick up on the clicking to add a filter to a search though and learn from there. Hey if I can do it, anyone can do it.
Thanks Steve!
Glenn
09-01-2015 06:32 AM
Luciano,
I just tried your suggestions because the sounded really nice down and dirty. I had to use (addr in a.a.a.a) instead of (addr eq a.a.a.a). The others worked great! I'm defintely adding this to our growing document here.
Thanks for the great input! I'm always up for learning new ways to do things.
Glenn
09-02-2015 06:34 AM
Hi Glenn,
sorry about that - I did not test them but wrote them from my head.
Another useful type of filtering I use when searching for "interestingness" from one address, is - I will look at all their traffic and than narrow it down by basically removing logs from my view by using filter, for example, ( app neq dns ) and ( app neq skype ) and ( app neq skype-probe ) ...et cetera - so (if you see where I am going) - I will remove any frequently seen but knowingly benign traffic ...so here I removed all and any DNS queries and verbose skype logs from the list, making it easier to find those "odd balls" we are chasing sometimes.
Also, some of the filters (can't remember which ones from the top of my head) cannot be negated by using "n" in front of the "eq", as I negated dns by doing "app NEQ dns". In such cases, use an exclamation point before the brackets, so...
Hope that helps too 🙂 If I remember any others that are useful I will add them here.
Best regards
Luciano
12-14-2020 03:14 PM
How do you do source address contains 10.20.30?
I don't only want to find 10.20.30.1 ... I want to find 10.20.30.x ... anything in that /24.
thanks
Roger
12-14-2020 07:33 PM
Hi @RogerMccarrick You can filter source address as 10.20.30.0/24 and you should see expected result.
12-16-2020 06:47 AM
thanks .. that worked!
09-25-2021 12:29 PM
hello everyone, anyone know, how this filter works (addr.dst notin 10.1.1.1) and (addr.dst notin 10.1.1.2) and (addr.dst notin 10.1.1.4), I don't understand this word "notin", it exists any wabsite to review filters, more advanced and detailed.
06-07-2022 01:36 AM - edited 06-07-2022 01:37 AM
Hi Csolis177
Perhaps I am a bit late, but try:
or for the whole network:
06-07-2022 05:32 PM
In addition to the "not" operator, you can use the equivalent "!" operator. You can also change the order logical operators are applied by rearranging parenthesis placement:
Or:
06-07-2022 07:48 PM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
