Palo Alto packet capture CLI / GUI

Packet Capture GUI

1.Monitor>Packet Capture;

2.Turn on “Filtering”

3.Setup Capture files

4. Turn on Capture files

5. imediatley initiate the connection

6. Refresh screen, you shoudl see the capture files populating.

7. Once your happy the traffic has been captured, turn OFF the capture files and filter.

8. Click each capture to download to PC and open with wire shark.

Packet Capture CLI

> debug dataplane packet-diag set filter on
> debug dataplane packet-diag set filter match source destination-port 25

> debug dataplane packet-diag set capture stage drop file smtpDRP.pcap
> debug dataplane packet-diag set capture stage receive file smtpRX.pcap
> debug dataplane packet-diag set capture stage firewall file smtpFW.pcap
> debug dataplane packet-diag set capture stage transmit file smtpTX.pcap

> debug dataplane packet-diag set capture on/off
> debug dataplane packet-diag show setting

There are four stages you can run a capture on Palo Alto Firewalls;

Receive: This is the packet as it hits the firewall, so Inbound

Firewall: This is as the packet is inspected against policy

Transmit: This is as the packet is leaving the firewall and a good stage to see the packets leaving the firewall.

Drop: This is the stage where you will simply see Dropped packets.

NAT Commands

show running nat-policy    [Shows the AT policy currently installed on the firewall.]

show session all filter destination   [This will show the NAT policy translations on the firewall, and if they are working correctly.]


Tagged with: , , , , , , , ,
Posted in Palo Alto
4 comments on “Palo Alto packet capture CLI / GUI
  1. chompchimp says:

    Good stuff. Very handy.

    Our new PA firewall captures some denied traffic and we have no capture rules in place as far as I can see. Any idea why it might be doing this?

  2. otrdemo says:

    I would check to see if any captures/filters exist under;

    Monitor>Packet Capture

    also check your deny rule at end of your policy you may have a capture running on it.

    If it’s none of these are you sure it’s a capture you’re looking at or is just the “traffic monitor”, which shows denied traffic?

    • chompchimp says:

      Thanks for your reply.

      In Monitor/Packet Capture, ‘Capturing’ is set to off and no filters have been set up.

      It’s definitely a capture (a green arrow in the column next to the magnifying glass) and only happens very infrequently. It’s not a big deal but I wondered if the PAN is auto-capturing packets it thinks are of particular concern and whether I should be looking further into this.

      • otrdemo says:

        From what you’re describing it sounds like capturing was turned on at some point or another to capture some troublesome traffic.
        You’re probably safe to turn this off especially if you are logging traffic that go through your policy anyway, i.e. cleanup rule at bottom of policy so any malicious inbound outbound traffic will be dropped and logged anyway.

        I’d just make sure the traffic is nothing to be concerned about or someone has setup the rule that way. If not, get it turned off pal, probably no use to you.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: