Scribd Logo
Upload

Welcome to Scribd!

  • How To Create Pcaps On PANOS

    Uploaded by

    Vce De Luca
    27 views15 pages
    This document walks through the steps to capture packets on a Palo Alto Networks firewall. There are various types of packet captures that you can perform. PANOS stores 20MB of pcaps for each type (threats, applications, filters, and DLP) and checks the space once an hour.

    Original Description:

    Original Title

    How to Create Pcaps on PANOS

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document walks through the steps to capture packets on a Palo Alto Networks firewall. There are various types of packet captures that you can perform. PANOS stores 20MB of pcaps for each type (threats, applications, filters, and DLP) and checks the space once an hour.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views15 pages

    How To Create Pcaps On PANOS

    Uploaded by

    Vce De Luca
    This document walks through the steps to capture packets on a Palo Alto Networks firewall. There are various types of packet captures that you can perform. PANOS stores 20MB of pcaps for each type (threats, applications, filters, and DLP) and checks the space once an hour.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    PANOS 3.0.

    0 1

    Capturing Packets on Palo Alto Networks Firewalls

    ThisdocumentwalksthroughthestepstocapturepacketsonaPaloAltoNetworksfirewall.

    Types of Packet Captures

    Therearevarioustypesofpacketcapturesthatyoucanperform:
    1. Filterpcap(a.k.adebugfilter)usetocapturebaseduponsrc/destIP,andsrc/destport
    2. ApplicationpcapusetocapturepacketsforaparticularappID(usewhenappID
    detectstrafficthatisnotthatapp)
    3. Unknownpcapuseforcapturingunknowntcp,unknownudp,unknownp2p

    Theoutputofthesecommandswillbepcapfiles,storedontheharddiskofthefirewall.PANOS
    stores20MBofpcapsforeachtype(threats,applications,filters,andDLP)andchecksthespace
    onceanhour.Ifitsover90%full,PANOSremovestheoldestdayscaptureuntilitgetsback
    below90%.

    Thisdocumentwilldiscussandgiveexamplesofeachofthosetypes.Ifyouareinterestedin
    justoneofthetypes,youcanskipaheadtothatpartofthedocument.
    Part 1: Capturing packets using filter-pcap
    Youcancaptureasessionfromstarttoendbetweentwoparticularmachines.Youcanalso
    filteronparticularsourceandtargetports.Allsessionsthatmatchavaliddebugfilterwillbe
    captured.Theoutputfileisclosedwhenthemaximumnumberofbytesorpacketsisreached,
    ormanuallybytheclosecommand.

    Intheexamplesbelow,aPaloAltoNetworksfirewallisbetweentheclientandtheDNSandFTP
    servers.ThereisalsoaSCPserveravailableforfiletransfersfromPANmanagementinterface.

    Keycommandsinthissection
    Toconfigure:
    debug dat apl ane f i l t er
    Toconfirmconfig:
    debug dat apl ane get
    Toviewpackets:
    vi ew- pcap f i l t er - pcap
    PANOS 3.0.0 2

    scp expor t f i l t er
    Tocleanup:
    del et e debug- f i l t er f i l e

    Steps
    1. LogintotheCLIofthefirewall.Checktheinitialdebugsettingsusingdebug
    dat apl ane get . Youwillrepeatthiscommandthroughouttoconfirmsettings.

    Thefirstlineistheimportantonehere;confirmthatpacketfilteringisoff.
    2. Toturnonpacketfilteringusethiscommand:

    Note:ifyouseeafiltertherefromaprevioustroubleshootingsession,youcandeleteit
    using:
    debug dat apl ane f i l t er unset 1
    3. Determinewhatfilenameyouwanttousefortheoutputfile.Youcanviewtheexisting
    filesusingvi ew- pcap f i l t er - pcap ?

    Ifyouuseanexistingfilename,thepacketswillbeappendedtothatfile.

    PANOS 3.0.0 3

    4. Nowconfiguretheexactfilterofwhattrafficyouwanttocapture.Youcanfilteron
    src/destIP,and/orsrc/destport.
    Theexamplebelowwillcapturealltrafficbetween1.1.1.8and3.3.3.4.Theoutputwill
    bestoredinthefiletest.pcap.NotethateventhoughyouarespecifyingasourceIPand
    targetIP,trafficinitiatedineitherdirectionwillbecaptured.

    Makesurethefiltershowniswhatyouexpect.Ifyoumadeamistake,use:
    debug dat apl ane f i l t er unset 1
    Theentry2000000intheoutputaboveindicatesthatamaximumof2millionbyteswill
    becaptured.
    Hereisanexampleofafilterthatiscapturingpacketsgoingto/fromport53going
    to/fromIP1.1.1.8:

    HereisanexampleofafilterthatwillcaptureallICMPpackets:

    5. Generatethetesttraffic.

    PANOS 3.0.0 4

    6. Youcanmonitorthepacketsthatarebeingwrittentotheoutputfile.Usethiscommand
    toseeiftheoutputfilehasbeencreatedyet:
    vi ew- pcap f i l t er - pcap ?
    Repeatthiscommanduntilthefilenameappears.

    7. Youcannowfollowthepacketcaptureinrealtimeusing:
    vi ew- pcap f ol l ow yes f i l t er - pcap dns. pcap

    Noticethatintheaboveoutput,theIPaddressesandportnumbersarenotresolvedto
    names,duetonodnslookupandnoportlookuparguments.

    8. Onceyouvecapturedthedatayouneed,youcanmanuallyclosetheoutputfileusing
    thiscommand:

    PANOS 3.0.0 5

    9. IfyouwanttoviewthecompletedpcapfromtheCLI,usethiscommand:

    10. Ifyouwanttoviewthehexandasciiinthepackets,theoptionishexasciiyes.

    11. Youwillverylikelyjustwanttoexportthepcapfiletoanothermachine,suchthatyou
    canviewitwithaprotocolanalyzer.Theonlywaytoexportpcapsisusingscpexport
    command.


    PANOS 3.0.0 6

    CleanUp
    12. Attheendofyourtroubleshootingsession,makesuretodeleteanyremainingfilters,
    andtoturndebugpacketfileroff:

    13. Alsodeleteanydebugfilesyounolongerneed.Viewthefilesusingthequestionmark
    asthelastargument:
    del et e debug- f i l t er f i l e ?

    Ifyougetthisoutput,therearenofilestodelete:

    Notes:
    Thefirewallcanonlycaptureparentsessions(likeFTPcontrolsession),notpredicted
    sessions(likeFTPdatasession).
    Ifonlythefirstfewpacketsofasessionisbeingcaptured,itispossiblethatthesession
    wasswitchedtothefastpath,whichmeansthepacketsdonothittheCPU.Youcan
    disablefastpathbyrunningthecommandsetsessionoffloadno.Aftertestingis
    complete,thenperformsetsessionoffloadyes

    PANOS 3.0.0 7

    Part 2: Capturing packets using application dump
    Insomecases,theappIDsignaturewillmatchtrafficthatisnotthatapplication.Inthat
    case,useapplicationdumptocapturepacketsforthatparticularappID.Notethatthis
    willnotcapturethecompletesession,itonlycapturesenoughpacketstoidentifythe
    application.
    Keycommandsinthissection
    Toconfigure:
    set appl i cat i on dump on
    Toconfirmconfig:
    debug dat apl ane show appl i cat i on set t i ng
    Toviewpackets:
    vi ew- pcap appl i cat i on- pcap dirname/filename
    scp expor t appl i cat i on f r omdirname/filename
    Tocleanup:
    set appl i cat i on dump of f
    del et e pcap di r ect or y dirname
    Steps

    1. Checktheinitialdebugsettingsusingthiscommand:

    2. Fileswillbestoredinadirectorythathasanameoftodaysdate.Youcanviewwhat
    directorieshavealreadybeencreatedusingvi ew- pcap appl i cat i on- pcap ?

    Toseewhatfilesareinthatdirectory,usethedirectorynamefollowedbyaquestion
    mark:

    vi ew- pcap appl i cat i on- pcap 20090718/ ?



    PANOS 3.0.0 8

    3. Turnonapplicationdump:


    PANOS 3.0.0 9

    4. Specifywhatyouwanttocapture.Inthiscase,wearecapturingyahooimcomingfrom
    IP1.1.1.33:

    5. Generatethetesttraffic.Toconfirmthattheexpectedapplicationisgoingthroughthe
    device,usethiscommand:

    6. Onceyouvecapturedthetraffic,turnoffapplicationdump:

    PANOS 3.0.0 10

    7. Anewfilewillbecreatedforeachmatchingsession.Youcannowexaminethepcaps.
    Remembertouseaquestionmarkinthecommandtodeterminewhatthefilenames
    are.(Note:thequestionmarkisnotshownbelow)

    8. YoucanalsoviewthepcapsintheGUI,ontheMonitortab>Trafficscreen.

    Clickonthegreendownarrowtoviewthepacket.
    9. YoucanexportthefileviatheCLI:


    PANOS 3.0.0 11

    Cleanup

    10. Delete the files you just created using:
    del et e pcap di r ect or y ?



    PANOS 3.0.0 12

    Part 3: Capturing packets using application dump-unknown
    Insomecases,nosignatureswillaparticularapplicationstraffic.Theapplicationwill
    appearas:
    Unknowntcp
    Unknownudp
    Unknownp2p
    Inthatcase,useapplicationdumpunknownforcapturingthosepackets.

    Keycommandsinthissection
    Toconfigure:
    set appl i cat i on dump- unknown yes
    Toconfirmconfig:
    debug dat apl ane show appl i cat i on set t i ng
    Toviewpackets:
    vi ew- pcap appl i cat i on- pcap dirname/filename
    scp expor t appl i cat i on dirname/filename
    Tocleanup:
    del et e unknown- pcap

    Steps
    1. Checktheinitialdebugsettingsusingthiscommand:


    PANOS 3.0.0 13

    2. Turnonapplicationdumpofunknownapps:

    3. Thereisnoneedtospecifyacapturefilter.Allunknownapplicationswillbecaptured.

    4. Generatethetesttraffic.Toconfirmthattheunknownapplicationisgoingthroughthe
    device,usethiscommand:

    Modifythelastargumentofthatcommandtobeappropriateforyourtraffic(unknowntcp,
    unknownudp,unknownp2p)

    5. Youcanviewthepcapusing:
    viewpcapapplicationpcapdirectoryname/?

    PANOS 3.0.0 14

    6. Onceyouvecapturedthetraffic,turnoffdumpunknown:

    7. YoucanviewthepcapintheGUIusingMonitortab>TrafficLog.Searchforthe
    appropriateapplication(example:unknownudp)tofindthelogentry.

    Clickonthegreendownarrowtoseethepacket:

    8. Youcanexportthefile:

    PANOS 3.0.0 15

    Cleanup

    9. Delete the files you just created using:
    del et e pcap di r ect or y ?

    You might also like