- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-27-2021 12:28 AM - edited 06-14-2021 02:01 AM
Hello To All,
I will create a short summary about how to do basic checks if the palo alto drops or slows down the traffic.
1. First the pcap capture on the drop stage will show if the firewall drops the traffic and after that we check why the firewall drops the traffic. If the issue is slowness doing a pcap capture in transmit and receive state and you can save/merge them to the sae file and compare if there slowness because of the firewall:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0
For issues with a managment traffic or something like SNMP, DNS, etc. do tcpdump on the managment IP (if you have not changed the dafult settings for the DNS, SNMP or other services to use a data plane interface) as the normal pcap will not work https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS
2. After the pcap and for example if a drop or slowness is confurmed to be because of the firewall use the same capture filter for to check the global counters:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS
3. If the global counters show a drop because of a policy, do policy trace. If the global counters show that there is routing issue, just do a routing test and if you have PBF, also test it:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYJCA0
4. If the issue is still not known use Flow Basic (flow_basic) with the same pcap filters (it could can utilize the CPU, so have good pcap filters).
https://palo-alto.fandom.com/wiki/Flow_Basic
https://palo-alto.fandom.com/wiki/Troubleshooting
5. Also for slowness issues just in case check the DNS resolution, Wildfire, URL filtering database, etc. or the authentication (depends on what you have and what you are using and this are issues on layer 7 content inspection) as they may introduce slowness if the there is network issue between palo alto and the external server it is asking for checks and services:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaHCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQcCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLs2CAG
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVYCA0
Edit:
You can also enable other debugs together with flow basic but this usually is done by the Palo Alto TAC. For example enabling "ctb" will show how palo alto performs the content inspection and url filtering and time the cloud url database replied to the firewall's request for a URL. Other use case that I know is to see the application shift if there is an issue how the Palo Alto changes the matched application by enabling the "appid" debug. The only place where Palo Alto officially mentions some of the extra debug features is for the Clientless VPN troubleshooting https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-clientless-vpn...