How to show the auditing process of objects during policy auditing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to show the auditing process of objects during policy auditing

L0 Member

Hi Everyone,

I'm a new member FW Palo Alto,
Currently, I have done a dump of the rule checking process, but I cannot show the process of checking each object against the rules in the firewall, so that I can clearly see the rule checking and the matching of objects before and determines which rule will be selected to handle traffic.
For checkpoint I can show this checking process, but palo alto I can't show it, below is the dump information that I performed on my lab system


--- Dump on palo Alto ---

== 2023-12-14 09:32:12.435 +0700 ==

Packet received at slowpath stage, tag 282600755, type ATOMIC

Packet info: len 66 port 17 interface 17 vsys 1

  wqe index 19617 packet 0x0xe019a7d900, HA: 0, IC: 0

Packet decoded dump:

L2:     00:0c:29:fd:7b:6e->00:0c:29:b0:b9:0b, type 0x0800

IP:     192.168.11.50->142.250.204.46, protocol 6

        version 4, ihl 5, tos 0x00, len 52,

        id 2030, frag_off 0x4000, ttl 128, checksum 53963(0xcbd2)

TCP:    sport 1139, dport 443, seq 573575143, ack 0,

        reserved 0, offset 8, window 8192, checksum 61383,

        flags 0x02 ( SYN), urgent data 0, l4 data len 0

TCP option:

00000000: 02 04 05 b4 01 03 03 08  01 01 04 02                ........ ....

Session setup: vsys 1

PBF lookup (vsys 1) with application ssl

Session setup: ingress interface ethernet1/2 egress interface ethernet1/1 (zone 1)

2023-12-14 09:32:12.435 +0700 debug: pan_policy_lookup(pan_policy.c:2402): [ACE] Trigger slow match for appid(0) uappid(0)

2023-12-14 09:32:12.435 +0700 debug: pan_policy_match_service(pan_policy.c:1613): match 0,0 for app 0 uapp 0 proto 6 sport 1139 dport 443

NAT policy lookup, matched rule index 0

DoS policy lookup, no rule matched, let pkt go

2023-12-14 09:32:12.435 +0700 debug: pan_policy_lookup(pan_policy.c:2402): [ACE] Trigger slow match for appid(0) uappid(0)

2023-12-14 09:32:12.435 +0700 debug: pan_policy_match_service(pan_policy.c:1613): match 0,0 for app 0 uapp 0 proto 6 sport 1139 dport 443

Policy lookup, matched rule index 3,

TCI_INSPECT: Do TCI lookup policy - appid 0

Allocated new session 1362. => Show session below

set exclude_video in session 1362 0xe02ede3d80 0 from work 0xe0189e3400 0

Rule: index=0 name=Inside_Nets_To_Internet, cfg_pool_idx=1 cfg_fallback_pool_idx=0

NAT Rule: name=Inside_Nets_To_Internet, cfg_pool_idx=1; Session: index=1362, nat_pool_idx=1

Packet matched vsys 1 NAT rule 'Inside_Nets_To_Internet' (index 1),

source translation 192.168.11.50/1139 => 203.0.113.100/1288

no NPB policy

Created session, enqueue to install. work 0xe0189e3400 exclude_video 0,session 1362 0xe02ede3d80 exclude_video 0

 

Show sesion:

admin@PA-VM> show session id 1362

 

Session            1362

 

        c2s flow:

                source:      192.168.11.50 [User]

                dst:         142.250.204.46

                proto:       6

                sport:       1139            dport:      443

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

 

        s2c flow:

                source:      142.250.204.46 [Outside]

                dst:         203.0.113.100

                proto:       6

                sport:       443             dport:      1288

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

 

        start time                           : Thu Dec 14 09:32:11 2023

        timeout                              : 15 sec

        total byte count(c2s)                : 6566

        total byte count(s2c)                : 36469

        layer7 packet count(c2s)             : 25

        layer7 packet count(s2c)             : 39

        vsys                                 : vsys1

        application                          : youtube-base

        rule                                 : allow-user-internet

        service timeout override(index)      : False

        session to be logged at end          : True

        session in session ager              : False

        session updated by HA peer           : False

        address/port translation             : source

        nat-rule                             : Inside_Nets_To_Internet(vsys1)

        layer7 processing                    : completed

        URL filtering enabled                : False

        session via syn-cookies              : False

        session terminated on host           : False

        session traverses tunnel             : False

        session terminate tunnel             : False

        captive portal session               : False

        ingress interface                    : ethernet1/2

        egress interface                     : ethernet1/1

        session QoS rule                     : N/A (class 4)

        tracker stage firewall               : TCP FIN

        tracker stage l7proc                 : ctd decoder done

        end-reason                           : tcp-fin

 

 

---- Dump on CheckPoint ----

@;16753377;[cpu_1];[fw4_0];1:[SID: 1799761] {rulebase} up_sub_policy_match: **round 1**;

@;16753377;[cpu_1];[fw4_0];1:[SID: 1799761] {rulebase} up_column_ip_opm_match: matching column Destination (handle ffffc200196c6df8);

...

@;16753377;[cpu_1];[fw4_0];1:[SID: 1799761] {match} up_column_ip_do_old_zones_match: dst conn_type: 1;

@;16753377;[cpu_1];[fw4_0];1:[SID: 1799761] {match} up_column_ip_do_old_zones_match: zone rulenum list is empty for conn_type: 1;

@;16753377;[cpu_1];[fw4_0];1:[SID: 1799761] {rulebase} up_column_ip_do_ip_ranges_match: matching IP 10.15.16.68;

......

 

Thanks Advance

0 REPLIES 0
  • 577 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!