Scribd
Upload
259 views6 pages

98.1 98 Packet Capture

This document discusses how to perform packet capture on Palo Alto Networks firewalls. It provides the following key details: - Packet capture can be used to troubleshoot network issues but is CPU intensive and can impact firewall performance. - Filters should be defined to capture only relevant packets and reduce processing load. - Packets can be captured at different stages as they ingress and egress the firewall. - Captured packets can be downloaded and analyzed in Wireshark. - The packet capture feature can be managed through the firewall's GUI or CLI.

Uploaded by

Ayan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
259 views6 pages

98.1 98 Packet Capture

This document discusses how to perform packet capture on Palo Alto Networks firewalls. It provides the following key details: - Packet capture can be used to troubleshoot network issues but is CPU intensive and can impact firewall performance. - Filters should be defined to capture only relevant packets and reduce processing load. - Packets can be captured at different stages as they ingress and egress the firewall. - Captured packets can be downloaded and analyzed in Wireshark. - The packet capture feature can be managed through the firewall's GUI or CLI.

Uploaded by

Ayan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Packet Capture:

o All Palo Alto Networks firewalls have a built-in packet capture (pcap) feature to use.
o You can use to capture packets that traverse the network interfaces on the firewall.
o You can the Packet Capture then use the captured data for troubleshooting purposes.
o The packet capture feature is CPU-intensive and can degrade the firewall performance.
o Only use this feature when necessary & turn it off after you collect the required packets.
o Configure Palo Alto Firewall to perform custom packet capture or a threat packet capture.
o Packet captures are session based, so single filter is capable of capturing both C2S & S2C.
o Packets are captured on the Palo Alto Network Firewall dataplane vs on the interface only.
o Pre-Parse Match is feature that capture all files before processed by engines on dataplane.
o When filtering is enabled, new sessions are marked for filtering and captured not existing.

Options Description
Manage Filters When enabling custom packet captures, you should define filters so that
only the packets that match the filters are captured. This will make it
easier to locate the information need in the pcaps and will reduce the
processing power required by the firewall to perform the packet capture.
Filtering After defining filters, set the Filtering to ON. If filtering is OFF, then all the
traffic is captured.
Pre-Parse Match After a packet enters the ingress port, it proceeds through several
processing steps before it is parsed for matches against pre-configured
filters. Set the Pre-Parse Match setting to ON to emulate a positive match
for every packet entering the system.
Packet Capture Click the toggle switch to turn packet capture ON or OFF.
Clear All Settings Click Clear All Settings to turn off packet capture and to clear all packet
capture settings.
Captured Files Contains a list of custom packet captures previously generated by the
firewall. Click a file to download it to your computer. To delete a packet
capture, select the packet capture and then Delete it.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Packet Capture Topology:

Stages Description
Drop This is the stage where you will simply see Dropped packets. Stage is where
packets get discarded. The reasons may vary.
Receive This is the packet as it hits the firewall, so Inbound. The packets as they ingress
the firewall before they go into the firewall engine. When NAT is configured, these
packets will be pre-NAT.
Transmit This is as the packet is leaving the firewall and a good stage to see the packets
leaving the firewall. Stage captures packets how they egress out of the firewall
engine. If NAT is configured, these will be post-NAT.
Firewall This is as the packet is inspected against policy. Stage captures packets in the
firewall stage.

Source and Destination IP Stage Description


192.168.140.60-192.168.140.100 Receive Stage Server to Firewall
192.168.122.150-192.168.122.100 Receive Stage Remote PC to Firewall
192.168.140.100-192.168.140.60 Transmit Stage Firewall to Server
192.168.122.100-192.168.122.150 Transmit Stage Firewall to Remote PC

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Packet Capture Lab:

Browse to Monitoring > Packet Capture. Create and manage Packet Capture Filter.

Options Description
Id Enter or select an identifier for the filter.
Ingress Interface Select the ingress interface on which you want to capture traffic.
Source Specify the source IP address of the traffic to capture.
Destination Specify the destination IP address of the traffic to capture.
Src Port Specify the source port of the traffic to capture.
Dest Port Specify the destination port of the traffic to capture.
Proto Specify the protocol number to filter (1-255). For example, ICMP is
protocol number 1.
Non-IP Choose how to treat non-IP traffic (exclude all IP traffic, include all IP
traffic, include only IP traffic, or do not include an IP filter).
IPv6 Select this option to include IPv6 packets in the filter.

Enable a Packet Filter drag to On the Filtering it will show ON Blue color.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Create stages at which to capture packets and name the files.

Enable Packet Captures Drag the slide to ON which show in Blue Color.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Download the capture file(s) via HTTP by clicking on its link after refreshing the capture page.

Open the downloaded Packet Captures in Wireshark, go to file click on merge to combine all
the downloaded captured files such as Receive, transmit and Firewall.

After combine receive and transmit file display in Wireshark.

Clear All Packet Captures setting just click on Clear All Settings.

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717


Packet Capture CLI:

Enable Packet Filter and Set Filter


> debug dataplane packet-diag set filter on
> debug dataplane packet-diag set filter match source 192.168.140.60

Create Stages Drop, Receive, firewall and transmit


> debug dataplane packet-diag set capture stage drop file DP.pcap
> debug dataplane packet-diag set capture stage receive file RX.pcap
> debug dataplane packet-diag set capture stage firewall file FW.pcap
> debug dataplane packet-diag set capture stage transmit file TX.pcap

Enable Packet Capture & Display Setting


> debug dataplane packet-diag set capture on
> debug dataplane packet-diag show setting

View PCAPs Files


>view-pcap follow yes filter-pcap DP.pcap
>view-pcap follow yes filter-pcap RX.pcap
>view-pcap follow yes filter-pcap FW.pcap
>view-pcap follow yes filter-pcap TX.pcap

Clear & Disable Packer Filter or Capture


debug dataplane packet-diag set filter off
debug dataplane packet-diag set capture off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture all

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy