Viewing offloaded sessions in CLI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Viewing offloaded sessions in CLI

System is a PA-3050 running SW version 7.1.7

 

Does the CLI still show the "Offload: yes" output in 'show session id <session-id-#>' for this version of software?

 

I recall seeing this flag for certain sessions in prior versions. Lately I have been troubleshooting some issues and have not seen that flag for any of the sessions being viewed. Hardware offloading is enabled (per 'show session info') and many of the sessions are showing layer7 processing completed.

 

If I have read the Admin guide correctly at least SSL traffic should be offloaded once L7 processing has been completed. However I am not seeing this is the case, unless there are other parameters in the sessions I'm viewing that is causing them to not be offloaded.

 

Any other areas to check to show which sessions are offloaded? Have not had luck in the GUI session browser, either.

1 accepted solution

Accepted Solutions

you can see that in the l7proc status if it changes to ctd decode bypass:

 

 

admin@myNGFW> show session id 6

Session               6

        c2s flow:
                source:      192.168.0.34 [v1-trust]
                dst:         198.51.100.1
                proto:       6
                sport:       56987           dport:      22
                state:       ACTIVE          type:       FLOW
                src user:    reaper
                dst user:    unknown
                qos node:    ethernet1/1, qos member  Qid 0
                match src interface:  any
                match src address:    ('any                  ',)

 ...
ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) tracker stage l7proc : ctd decoder bypass end-reason : unknown
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Do you have session offload actually enabled? 

@edwin.s.summers.ctr doesn't look like this is actually monitored anymore; it simply happens at the hardware level if it's on.

 

Note: Some Palo Alto Networks firewalls include a Hardware Offload feature that optimizes the
handling of traffic. Offloaded traffic will not appear in packet captures in either the WebUI or
the CLI. PA-2000 Series, PA-3050, PA-3060, PA-4000 Series, PA-5000 Series, and PA-7000 Series
firewalls all have this feature. In order to guarantee that all packets are available for capture, a
CLI must be run to temporarily disable Hardware Offload. See the following information for
details and disclosures about CPU impact.

you can see that in the l7proc status if it changes to ctd decode bypass:

 

 

admin@myNGFW> show session id 6

Session               6

        c2s flow:
                source:      192.168.0.34 [v1-trust]
                dst:         198.51.100.1
                proto:       6
                sport:       56987           dport:      22
                state:       ACTIVE          type:       FLOW
                src user:    reaper
                dst user:    unknown
                qos node:    ethernet1/1, qos member  Qid 0
                match src interface:  any
                match src address:    ('any                  ',)

 ...
ingress interface : ethernet1/2 egress interface : ethernet1/1 session QoS rule : N/A (class 4) tracker stage l7proc : ctd decoder bypass end-reason : unknown
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks, reaper! Is this as well as the various values for the 'tracker stage' field documented? I have not been able to find this using Google and Live searches, and just searched the PANOS 7.1 Admin guide without result either. Greatly appreciated.

Hi Edwin

 

No, these are not documented. Most of the l7 stages can have multiple meanings, depending on the state and type of your session, your hardware and configuration and require deep-dive debugging to correctly interpret. Trying to properly document these would be messy and confusing (like, 3d flow-chart confusing 😉 ), reading the output of the flow/ctd basic is far more meaningful

 

if you want to learn more, you should look into flow basic (ctd basic, appid basic, etc) here : Getting Started: Flow Basic

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 6556 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!