Packet Capture GUI
2.Turn on “Filtering”
3.Setup Capture files
4. Turn on Capture files
5. imediatley initiate the connection
6. Refresh screen, you shoudl see the capture files populating.
7. Once your happy the traffic has been captured, turn OFF the capture files and filter.
8. Click each capture to download to PC and open with wire shark.
Packet Capture CLI
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag set filter match source 220.127.116.11 destination-port 25
> debug dataplane packet-diag set capture stage drop file smtpDRP.pcap
> debug dataplane packet-diag set capture stage receive file smtpRX.pcap
> debug dataplane packet-diag set capture stage firewall file smtpFW.pcap
> debug dataplane packet-diag set capture stage transmit file smtpTX.pcap
> debug dataplane packet-diag set capture on/off
> debug dataplane packet-diag show setting
There are four stages you can run a capture on Palo Alto Firewalls;
Receive: This is the packet as it hits the firewall, so Inbound
Firewall: This is as the packet is inspected against policy
Transmit: This is as the packet is leaving the firewall and a good stage to see the packets leaving the firewall.
Drop: This is the stage where you will simply see Dropped packets.
show running nat-policy [Shows the AT policy currently installed on the firewall.]
show session all filter destination 10.10.10.10 [This will show the NAT policy translations on the firewall, and if they are working correctly.]