Paloalto firewall packet capturing

Home > Enterprise security devices or applications > Paloalto firewall > Paloalto troubleshooting options > Paloalto firewall packet capturing

In case of complex issues packet capturing might give considerable insight. To capture packets on paloalto firewall use:

1. Go to Monitor -> Packet capture
2. First define the filters for packet capturing. These filters use source / destination IP, protocol number (eg 1 for ICMP), IP or not-IP, interface name, etc. parameters. There are four possible filters which are OR'ed together. Options within a single filter are AND'ed together.

   Note that while we can capture packets on IP-Sec tunnels not all packets seem to be capture. At least transmitted packets sent over tunnel do not seem to be captured, while received packets are shown properly.

3. Under packet capturing add packet capturing for receive, transmit, firewall or drop. We can configure more than one.
4. Then Enable packet filters and then enable packet capturing.
5. Once done disable packet capturing and then disable filters.

   Note that disabling packet capturing before disabling filters is very important. This way we wont capture any packets that do not pass filter. If we first disable filters and then stop packet capturing, then we may capture packets which might not have passed through filter.

6. Download appropriate pcap files for transmit, receive, etc. and analyze
7. Delete the existing captures once work is done.

Refer:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

Home > Enterprise security devices or applications > Paloalto firewall > Paloalto troubleshooting options > Paloalto firewall packet capturing