Traffic Monitor Filter Basics

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic Monitor Filter Basics

L1 Bithead
  1. PURPOSE

The purpose of this document is to demonstrate several methods of filtering and looking for specific types of traffic on the Palo Alto Firewalls. They are broken down into different areas such as host, zone, port, date/time, categories. At the end I have placed just a couple of examples of combining the various search filters together for more comprehensive searching.

There are many different ways to do filters, and this is just a couple of basic ones to get the juices flowing.

Enjoy

 

  1. HOST TRAFFIC FILTER EXAMPLES

     FROM HOST a.a.a.a

          (addr.src in a.a.a.a)

          example: (addr.src in 1.1.1.1) 

          Explanation: this will show all traffic coming from host ip address that matches 1.1.1.1 (addr.src in a.a.a.a)

 

     TO HOST b.b.b.b

          (addr.dst in b.b.b.b)

          example: (addr.dst in 2.2.2.2) 

          Explanation: this will show all traffic with a destination address of a host that matches 2.2.2.2

 

     FROM HOST a.a.a.a TO HOST b.b.b.b

          (addr.src in a.a.a.a) and (addr.dst in b.b.b.b)

          example: (addr.src in 1.1.1.1) and (addr.dst in 2.2.2.2)

          Explanation: this will show all traffic coming from a host with an ip address of 1.1.1.1 and going to a host

               destination address of 2.2.2.2

 

     TO HOST RANGE

          NOTE: You cannot specify an actual but can use CIDR notation to specify a network range of addresses

          (addr.src in a.a.a.a/CIDR)

          example:  (addr.src in 10.10.10.2/30)

          Expanation:  this will show all traffic coming from addresses ranging from 10.10.10.1 - 10.10.10.3.

 

2.  ZONE TRAFFIC FILTER EXAMPLES

 

     FROM ZONE zone_a

          (zone.src eq zone_a)

          example: (zone.src eq PROTECT)

          Explanation: this will show all traffic coming from the PROTECT zone

 

     TO ZONE zone_b

          (zone.dst eq zone_b)

          example: (zone.dst eq OUTSIDE)

          Explanation: this will show all traffic going out the OUTSIDE zone

 

     FROM ZONE zone_a TO ZONE zone_b

          (zone.src eq zone_a) and (zone.dst eq zone_b)

          example: (zone.src eq PROTECT) and (zone.dst eq OUTSIDE)

          Explanation: this will show all traffic traveling from the PROTECT zone and going out the OUTSIDE zone

 

3.  PORT TRAFFIC FILTER EXAMPLES

 

     FROM PORT aa

          (port.src eq aa)

          example: (port.src eq 22)

          Explanation: this will show all traffic traveling from source port 22

 

     TO PORT aa

          (port.dst eq bb)

          example: (port.dst eq 25)

          Explanation: this will show all traffic traveling to destination port 25

 

     FROM PORT aa TO PORT bb

          (port.src eq aa) and (port.dst eq bb)

          example: (port.src eq 23459) and (port.dst eq 22)

          Explanation: this will show all traffic traveling from source port 23459 and traveling to destination port 22

 

     FROM ALL PORTS LESS THAN OR EQUAL TO PORT aa

          (port.src leq aa)

          example: (port.src leq 22)

          Explanation: this will show all traffic traveling from source ports 1-22

 

     FROM ALL PORTS GREATER THAN OR EQUAL TO PORT aa

          (port.src geq aa)

          example: (port.src geq 1024)

          Explanation: this will show all traffic traveling from source ports 1024 - 65535

 

     TO ALL PORTS LESS THAN OR EQUAL TO PORT aa

          (port.dst leq aa)

          example: (port.dst leq 1024)

          Explanation: this will show all traffic traveling to destination ports 1-1024

 

     TO ALL PORTS GREATER THAN OR EQUAL TO PORT aa

          (port.dst geq aa)

          example: (port.dst geq 1024)

          Explanation: this will show all traffic traveling to destination ports 1024-65535

 

     FROM PORT RANGE aa THROUGH bb

          (port.src geq aa) and (port.src leq bb)

          example: (port.src geq 20) and (port.src leq 53)

          Explanation: this will show all traffic traveling from source port range 20-53

 

     TO PORT RANGE aa THROUGH bb

          (port.dst geq aa) and (port.dst leq bb)

          example: (port.dst geq 1024) and (port.dst leq 13002)

          Explanation: this will show all traffic traveling to destination ports 1024 - 13002

 

4.  DATE/TIME TRAFFIC FILTER EXAMPLES

 

     ALL TRAFFIC FOR A SPECIFIC DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time eq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time eq '2015/08/31 08:30:00')

          Explanation: this will show all traffic that was received on August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED ON OR BEFORE THE DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time leq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time leq '2015/08/31 08:30:00')

          Explanation: this will show all traffic that was received on or before August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED ON OR AFTER THE DATE yyyy/mm/dd AND TIME hh:mm:ss

          (receive_time geq 'yyyy/mm/dd hh:mm:ss')

          example: (receive_time geq '2015/08/31 08:30:00')

          Explanation: this will show all traffic that was received on or after August 31, 2015 at 8:30am

 

     ALL TRAFFIC RECEIVED BETWEEN THE DATE-TIME RANGE OF yyyy/mm/dd hh:mm:ss and YYYY/MM/DD

     HH:MM:SS

          (receive_time geq 'yyyy/mm/dd hh:mm:ss') and (receive_time leq 'YYYY/MM/DD HH:MM:SS')

          example: (receive_time geq '2015/08/30 08:30:00') and (receive_time leq '2015/08/31 01:25:00')

          Explanation: this will show all traffic that was received between August 30, 2015 8:30am and August 31, 2015

               01:25am

5.  INTERFACE TRAFFIC FILTER EXAMPLES

 

     ALL TRAFFIC INBOUND ON INTERFACE interface1/x

          (interface.src eq 'ethernet1/x')

          example: (interface.src eq 'ethernet1/2')

          Explanation: this will show all traffic that was received on the PA Firewall interface Ethernet 1/2

 

     ALL TRAFFIC OUTBOUND ON INTERFACE interface1/x

          (interface.src eq 'ethernet1/x')

          example: (interface.dst eq 'ethernet1/5')

          Explanation: this will show all traffic that was sent out on the PA Firewall interface Ethernet 1/5

 

6.  ALLOWED/DENIED TRAFFIC FILTER EXAMPLES

 

     ALL TRAFFIC THAT HAS BEEN ALLOWED BY THE FIREWALL RULES

          (action eq allow)

          OR

         (action neq deny)

          example: (action eq allow)

          Explanation: this will show all traffic that has been allowed by the firewall rules.  By placing the letter 'n' in front of

               'eq' it makes it 'not equal to' so anything not equal to deny will be displayed, which is any allowed traffic.

 

     ALL TRAFFIC THAT HAS BEEN DENIED BY THE FIREWALL RULES

          (action eq deny)

          OR

         (action neq allow)

          example: (action eq deny)

          Explanation: this will show all traffic that has been denied by the firewall rules.  By placing the letter 'n' in front of

               'eq' it makes it 'not equal to' so anything not equal to allow will be displayed, which is any denied traffic.

 

7.  COMBINING TRAFFIC FILTER EXAMPLES

 

     ALL TRAFFIC FROM ZONE OUTSIDE AND NETWORK 10.10.10.0/24 TO HOST ADDRESS 20.20.20.21 IN THE

     PROTECT ZONE:

          (zone.src eq OUTSIDE) and (addr.src in 10.10.10.0/24) and (addr.dst in 20.20.20.21) and (zone.dst eq PROTECT)

 

     ALL TRAFFIC FROM HOST 1.2.3.4 TO HOST 5.6.7.8 FOR THE TIME RANGE 8/30-31/2015

          (addr.src in 1.2.3.4) and (addr.dst in 5.6.7.8) and (receive_time geq '2015/08/30 00:00:00') and

          (receive_time leq '2015/08/31 23:59:59')

 

 

 

13 REPLIES 13

L5 Sessionator

Hi Henry,

 

thanks for the contribution.

 

One I find useful that is not in the list above is an alteration of your filters in one simple thing - any traffic from or to the object (host, port, zone...) can be selected by using ( addr eq a.a.a.a ) or ( port eq aa ) or ( zone eq aa)

This one is useful to quickly review all traffic to a single address if you are not completely certain what is it you are looking for, but just want to see generally what does that host/port/zone communicate with.

 

Of course, sometimes it is also easy to combine all of the above you listed to pin-point some traffic, but I don't think that needs additional explanation 🙂

 

Thanks again, regards

 

Luciano

L7 Applicator

Nice collection.

 

Another hint for new users is to simply click on a listing type value (like source address) in the monitor logs.  

This will add a filter correctly formated for that specific value.

You can then edit the value to be the one you are looking for.

 

This way you don't have to memorize the keywords and formats.

 

You can continue this way to build a mulitple filter with different value types as well.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Great additional information!  I have learned most of what I do based on what I do on a day-to-day tasking.  I will add that to my local document I have running here at work! 

 

Thanks!

Glenn

Very true!  That is how I first learned how to do things.  I then started wanting to be able to learn more comprehensive filters like searching for traffic for a specific date/time range using leq and geq.  I mainly typed this up for new people coming into our group don't have the Palo Alto experience and the courses don't really walk people through filters as detailed as desired.  Most people can pick up on the clicking to add a filter to a search though and learn from there.  Hey if I can do it, anyone can do it.

Thanks Steve!

Glenn

Luciano,

   I just tried your suggestions because the sounded really nice down and dirty.  I had to use (addr in a.a.a.a) instead of (addr eq a.a.a.a).  The others worked great!  I'm defintely adding this to our growing document here. 

 

Thanks for the great input!  I'm always up for learning new ways to do things.

 

Glenn

Hi Glenn,

 

sorry about that - I did not test them but wrote them from my head.

 

Another useful type of filtering I use when searching for "interestingness" from one address, is - I will look at all their traffic and than narrow it down by basically removing logs from my view by using filter, for example, ( app neq dns ) and ( app neq skype ) and ( app neq skype-probe ) ...et cetera - so (if you see where I am going) - I will remove any frequently seen but knowingly benign traffic ...so here I removed all and any DNS queries and verbose skype logs from the list, making it easier to find those "odd balls" we are chasing sometimes.

 

Also, some of the filters (can't remember which ones from the top of my head) cannot be negated by using "n" in front of the "eq", as I negated dns by doing "app NEQ dns". In such cases, use an exclamation point before the brackets, so...

 

Hope that helps too 🙂 If I remember any others that are useful I will add them here.


Best regards

 

Luciano

L2 Linker

How do you do source address contains 10.20.30?

I don't only want to find 10.20.30.1 ... I want to find 10.20.30.x ... anything in that /24.

 

thanks

 

Roger

Hi @RogerMccarrick You can filter source address as 10.20.30.0/24 and you should see expected result.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

thanks .. that worked!

L1 Bithead

hello everyone, anyone know, how this filter works (addr.dst notin 10.1.1.1) and (addr.dst notin 10.1.1.2) and (addr.dst notin 10.1.1.4), I don't understand this word "notin", it exists any wabsite to review filters, more advanced and detailed. 

Hi Csolis177

 

Perhaps I am a bit late, but try:

  • "and not (addr.dst in 10.1.1.1) and not (addr.dst in 10.1.1.2) and not (addr.dst in 10.1.1.4)"

or for the whole network:

  • "and not (addr.dst in 10.1.1.0/24)"

In addition to the "not" operator, you can use the equivalent "!" operator. You can also change the order logical operators are applied by rearranging parenthesis placement:

  • " and !(addr.dst in 10.1.1.1) and !(addr.dst in 10.1.1.2) and !(addr.dst in 10.1.1.4)"

Or:

  • " and !(addr.dst in 10.1.1.1 or addr.dst in 10.1.1.2 or addr.dst in 10.1.1.4)"

 

Community Team Member

NGFW 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 41824 Views
  • 13 replies
  • 8 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!