Palo Alto Packet Capture
Capture on MGMT interface:
> tcpdump filter "host x.x.x.x"
> view-pcap mgmt-pcap mgmt.pcap
================
1. Filter is bi-directional.
Packet captures are session-based, so a single filter is capable of capturing both client2server and server2client
2. Receive and transmit stage can use same capture file so we can see tx/rx in one capture file. If not doing this, we can merge rx/tx files in Wireshark.
3. Only new session is captured.
4. Four stages
- drop stage is where packets get discarded. The reasons may vary and, for this part, the global counters may help identify if the drop was due to a policy deny, a detected threat, or something else.
- receive stage captures the packets as they ingress the firewall before they go into the firewall engine. When NAT is configured, these packets will be pre-NAT.
- transmit stage captures packets how they egress out of the firewall engine. If NAT is configured, these will be post-NAT.
- firewall packet is inspected against policy, includes packets that establish or match to an existing session
RX: Pre-decryption, pre-NAT
FW: Post-decryption, pre-NAT
TX: Post-decryption, post-NAT
DR: Dropped packets
capture on local VPN tunnel interface only see traffic comes out from the tunnel ( incoming decrypted traffic)
> view-pcap filter-pcap <name>
===================
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfqCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
========
For Ping from 192.168.50.50 (NATed to 192.168.2.102) to 4.2.2.2, capture filter:
firewall stage capture
Firewall stage and receive stage are same, which have initial traffic enter ingress interface and return traffic enter egress interface.
For Ping from 192.168.50.50 (NATed to 192.168.2.102) to 4.2.2.2 with capture on inside interface, capture filter:
For Ping from 192.168.50.50 (NATed to 192.168.2.102) to 4.2.2.2 with capture on outside interface, capture filter:
Ping from PA side 192.168.50.50 to FG side 10.10.10.6 cross S2S VPN tunnel with filter:
When ping has response
When ping 10.10.10.10 which is not alive
<tftp | scp> export filter-pcap from <filename> to <tftp-ip | user@ip-address:path>
ingress stage
Best practice:
set same file "rt" so we can see bidirectional traffic in on capture file
Comments
Post a Comment