Enable Packet Captures on Palo Alto:

  • This document describes the basic steps and commands to configure packet captures on Palo Alto firewalls.
  • Create Packet Captures through CLI:
  • Create packet filters:
    • debug dataplane packet-diag set filter match source <IP_1> destination <IP_2>
    • debug dataplane packet-diag set filter on
    • debug dataplane packet-diag show setting
  • If no source or destination IP address is specified, then “any” (0.0.0.0) is assumed.
  • Define the packet capture stages and the corresponding files
    • debug dataplane packet-diag set capture stage transmit file <filename_transmit>
    • debug dataplane packet-diag set capture stage receive file <filename_receive>
    • debug dataplane packet-diag set capture stage firewall file <filename_firewall>
    • debug dataplane packet-diag set capture stage drop file <filename_drop>
  • Start the packet captures
    • debug dataplane packet-diag set capture on

    Note: Before starting the captures, make sure that the capture filters have been configured and that the filtering is turned on. For example:

    admin@PAN-FW> debug dataplane packet-diag show setting

    ——————————————————————————–

    Packet diagnosis setting:

    ——————————————————————————–

    Packet filter

      Enabled:                   yes

    Match pre-parsed packet:   no

    Index 1: 192.168.0.1[0]->10.20.30.1[0], proto 0

    ingress-interface any, egress-interface any, exclude non-IP

    Important! Starting a capture without filtering may overload the firewall

  • Stop the packet capture
    • debug dataplane packet-diag set capture off
  • View the capture files
    • view-pcap filter-pcap <filename>

    To view the capture file in real-time while the capture is running, use the following command:

    • view-pcap follow yes filter-pcap <filename>
  • Export the capture files
    • scp export filter-pcap from <file> to <SCP_serv>
    • <SCP_Serv> = user@server:path
    • tftp export filter-pcap from <file> to <tftp_Server_addr>
  • Clear the packet filters and captures
    • debug dataplane packet-diag set filter off
    • debug dataplane packet-diag clear filter all
    • debug dataplane packet-diag clear capture all

     

  • Enable Packet Captures on webui:
    • On the WebUI
      1. Go to Monitoring > Packet Capture
      2. Create and Enable a Packet Filter:
      3. Create stages to capture packets and specify file names:
      4. Click OK to enable captures
      5. Download the capture file(s) via HTTP by clicking on the corresponding links after refreshing the capture page.

       

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s