Professional Documents
Culture Documents
0 1
ThisdocumentwalksthroughthestepstocapturepacketsonaPaloAltoNetworksfirewall.
Therearevarioustypesofpacketcapturesthatyoucanperform:
1. Filterpcap(a.k.adebugfilter)usetocapturebaseduponsrc/destIP,andsrc/destport
2. ApplicationpcapusetocapturepacketsforaparticularappID(usewhenappID
detectstrafficthatisnotthatapp)
3. Unknownpcapuseforcapturingunknowntcp,unknownudp,unknownp2p
Theoutputofthesecommandswillbepcapfiles,storedontheharddiskofthefirewall.PANOS
stores20MBofpcapsforeachtype(threats,applications,filters,andDLP)andchecksthespace
onceanhour.Ifitsover90%full,PANOSremovestheoldestdayscaptureuntilitgetsback
below90%.
Thisdocumentwilldiscussandgiveexamplesofeachofthosetypes.Ifyouareinterestedin
justoneofthetypes,youcanskipaheadtothatpartofthedocument.
Part 1: Capturing packets using filter-pcap
Youcancaptureasessionfromstarttoendbetweentwoparticularmachines.Youcanalso
filteronparticularsourceandtargetports.Allsessionsthatmatchavaliddebugfilterwillbe
captured.Theoutputfileisclosedwhenthemaximumnumberofbytesorpacketsisreached,
ormanuallybytheclosecommand.
Intheexamplesbelow,aPaloAltoNetworksfirewallisbetweentheclientandtheDNSandFTP
servers.ThereisalsoaSCPserveravailableforfiletransfersfromPANmanagementinterface.
Keycommandsinthissection
Toconfigure:
debug dat apl ane f i l t er
Toconfirmconfig:
debug dat apl ane get
Toviewpackets:
vi ew- pcap f i l t er - pcap
PANOS 3.0.0 2
scp expor t f i l t er
Tocleanup:
del et e debug- f i l t er f i l e
Steps
1. LogintotheCLIofthefirewall.Checktheinitialdebugsettingsusingdebug
dat apl ane get . Youwillrepeatthiscommandthroughouttoconfirmsettings.
Thefirstlineistheimportantonehere;confirmthatpacketfilteringisoff.
2. Toturnonpacketfilteringusethiscommand:
Note:ifyouseeafiltertherefromaprevioustroubleshootingsession,youcandeleteit
using:
debug dat apl ane f i l t er unset 1
3. Determinewhatfilenameyouwanttousefortheoutputfile.Youcanviewtheexisting
filesusingvi ew- pcap f i l t er - pcap ?
Ifyouuseanexistingfilename,thepacketswillbeappendedtothatfile.
PANOS 3.0.0 3
4. Nowconfiguretheexactfilterofwhattrafficyouwanttocapture.Youcanfilteron
src/destIP,and/orsrc/destport.
Theexamplebelowwillcapturealltrafficbetween1.1.1.8and3.3.3.4.Theoutputwill
bestoredinthefiletest.pcap.NotethateventhoughyouarespecifyingasourceIPand
targetIP,trafficinitiatedineitherdirectionwillbecaptured.
Makesurethefiltershowniswhatyouexpect.Ifyoumadeamistake,use:
debug dat apl ane f i l t er unset 1
Theentry2000000intheoutputaboveindicatesthatamaximumof2millionbyteswill
becaptured.
Hereisanexampleofafilterthatiscapturingpacketsgoingto/fromport53going
to/fromIP1.1.1.8:
HereisanexampleofafilterthatwillcaptureallICMPpackets:
5. Generatethetesttraffic.
PANOS 3.0.0 4
6. Youcanmonitorthepacketsthatarebeingwrittentotheoutputfile.Usethiscommand
toseeiftheoutputfilehasbeencreatedyet:
vi ew- pcap f i l t er - pcap ?
Repeatthiscommanduntilthefilenameappears.
7. Youcannowfollowthepacketcaptureinrealtimeusing:
vi ew- pcap f ol l ow yes f i l t er - pcap dns. pcap
Noticethatintheaboveoutput,theIPaddressesandportnumbersarenotresolvedto
names,duetonodnslookupandnoportlookuparguments.
8. Onceyouvecapturedthedatayouneed,youcanmanuallyclosetheoutputfileusing
thiscommand:
PANOS 3.0.0 5
9. IfyouwanttoviewthecompletedpcapfromtheCLI,usethiscommand:
10. Ifyouwanttoviewthehexandasciiinthepackets,theoptionishexasciiyes.
11. Youwillverylikelyjustwanttoexportthepcapfiletoanothermachine,suchthatyou
canviewitwithaprotocolanalyzer.Theonlywaytoexportpcapsisusingscpexport
command.
PANOS 3.0.0 6
CleanUp
12. Attheendofyourtroubleshootingsession,makesuretodeleteanyremainingfilters,
andtoturndebugpacketfileroff:
13. Alsodeleteanydebugfilesyounolongerneed.Viewthefilesusingthequestionmark
asthelastargument:
del et e debug- f i l t er f i l e ?
Ifyougetthisoutput,therearenofilestodelete:
Notes:
Thefirewallcanonlycaptureparentsessions(likeFTPcontrolsession),notpredicted
sessions(likeFTPdatasession).
Ifonlythefirstfewpacketsofasessionisbeingcaptured,itispossiblethatthesession
wasswitchedtothefastpath,whichmeansthepacketsdonothittheCPU.Youcan
disablefastpathbyrunningthecommandsetsessionoffloadno.Aftertestingis
complete,thenperformsetsessionoffloadyes
PANOS 3.0.0 7
Part 2: Capturing packets using application dump
Insomecases,theappIDsignaturewillmatchtrafficthatisnotthatapplication.Inthat
case,useapplicationdumptocapturepacketsforthatparticularappID.Notethatthis
willnotcapturethecompletesession,itonlycapturesenoughpacketstoidentifythe
application.
Keycommandsinthissection
Toconfigure:
set appl i cat i on dump on
Toconfirmconfig:
debug dat apl ane show appl i cat i on set t i ng
Toviewpackets:
vi ew- pcap appl i cat i on- pcap dirname/filename
scp expor t appl i cat i on f r omdirname/filename
Tocleanup:
set appl i cat i on dump of f
del et e pcap di r ect or y dirname
Steps
1. Checktheinitialdebugsettingsusingthiscommand:
2. Fileswillbestoredinadirectorythathasanameoftodaysdate.Youcanviewwhat
directorieshavealreadybeencreatedusingvi ew- pcap appl i cat i on- pcap ?
Toseewhatfilesareinthatdirectory,usethedirectorynamefollowedbyaquestion
mark:
3. Turnonapplicationdump:
PANOS 3.0.0 9
4. Specifywhatyouwanttocapture.Inthiscase,wearecapturingyahooimcomingfrom
IP1.1.1.33:
5. Generatethetesttraffic.Toconfirmthattheexpectedapplicationisgoingthroughthe
device,usethiscommand:
6. Onceyouvecapturedthetraffic,turnoffapplicationdump:
PANOS 3.0.0 10
7. Anewfilewillbecreatedforeachmatchingsession.Youcannowexaminethepcaps.
Remembertouseaquestionmarkinthecommandtodeterminewhatthefilenames
are.(Note:thequestionmarkisnotshownbelow)
8. YoucanalsoviewthepcapsintheGUI,ontheMonitortab>Trafficscreen.
Clickonthegreendownarrowtoviewthepacket.
9. YoucanexportthefileviatheCLI:
PANOS 3.0.0 11
Cleanup
10. Delete the files you just created using:
del et e pcap di r ect or y ?
PANOS 3.0.0 12
Part 3: Capturing packets using application dump-unknown
Insomecases,nosignatureswillaparticularapplicationstraffic.Theapplicationwill
appearas:
Unknowntcp
Unknownudp
Unknownp2p
Inthatcase,useapplicationdumpunknownforcapturingthosepackets.
Keycommandsinthissection
Toconfigure:
set appl i cat i on dump- unknown yes
Toconfirmconfig:
debug dat apl ane show appl i cat i on set t i ng
Toviewpackets:
vi ew- pcap appl i cat i on- pcap dirname/filename
scp expor t appl i cat i on dirname/filename
Tocleanup:
del et e unknown- pcap
Steps
1. Checktheinitialdebugsettingsusingthiscommand:
PANOS 3.0.0 13
2. Turnonapplicationdumpofunknownapps:
3. Thereisnoneedtospecifyacapturefilter.Allunknownapplicationswillbecaptured.
4. Generatethetesttraffic.Toconfirmthattheunknownapplicationisgoingthroughthe
device,usethiscommand:
Modifythelastargumentofthatcommandtobeappropriateforyourtraffic(unknowntcp,
unknownudp,unknownp2p)
5. Youcanviewthepcapusing:
viewpcapapplicationpcapdirectoryname/?
PANOS 3.0.0 14
6. Onceyouvecapturedthetraffic,turnoffdumpunknown:
7. YoucanviewthepcapintheGUIusingMonitortab>TrafficLog.Searchforthe
appropriateapplication(example:unknownudp)tofindthelogentry.
Clickonthegreendownarrowtoseethepacket:
8. Youcanexportthefile:
PANOS 3.0.0 15
Cleanup
9. Delete the files you just created using:
del et e pcap di r ect or y ?