cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Knowledge sharing: Palo Alto checking for drops (rejects ,discards), slowness (latency) and counters using captures, global counters, flow basic etc.

L6 Presenter

Hello To All,

 

 

I will create a short summary about how to do basic checks if the palo alto drops or slows down the traffic.

 

 

1. First the pcap capture on the drop stage will show if the firewall drops the traffic and after that we check why the firewall drops the traffic. If the issue is slowness doing a pcap capture in transmit and receive state and you can save/merge them to the sae file and compare if there slowness because of the firewall:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

 

 

For issues with a managment traffic or something like SNMP, DNS, etc. do tcpdump on the managment IP (if you have not changed the dafult settings for the DNS, SNMP or other services to use a data plane interface) as the normal pcap will not work https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

 

 

 

 

2. After the pcap and for example if a drop or slowness is confurmed to be because of the firewall use the same capture filter for to check the global counters:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

 

 

 

 

3. If the global counters show a drop because of a policy, do policy trace. If the global counters show that there is routing issue, just do a routing test and if you have PBF, also test it:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYJCA0

 

 

 

 

4. If the issue is still not known use Flow Basic (flow_basic) with the same pcap filters (it could can utilize the CPU, so have good pcap filters).

 

https://palo-alto.fandom.com/wiki/Flow_Basic

 

https://palo-alto.fandom.com/wiki/Troubleshooting

 

 

 

 

 

 

5. Also for slowness issues  just in case check the DNS resolution, Wildfire, URL filtering database, etc. or the authentication (depends on what you have and what you are using and this are issues on layer 7 content inspection) as they may introduce slowness if the there is network issue between palo alto and the external server it is asking for checks and services:

 

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaHCAS

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQcCAK

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configurati...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLs2CAG

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVYCA0

 

 

 

 

Edit:

 

You can also enable other debugs together with flow basic but this usually is done by the Palo Alto TAC. For example enabling "ctb" will show how palo alto performs the content inspection and url filtering and time the cloud url database replied to the firewall's request for a URL. Other use case that I know is to see the application shift if there is an issue how the Palo Alto changes the matched application by enabling the "appid" debug. The only place where Palo Alto officially mentions some of the extra debug features is for the Clientless VPN troubleshooting https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-clientless-vpn...

 

 

NikolayDimitrov_0-1619596411072.png

 

 

Who Me Too'd this topic