Palo Alto Debug (9 of 30)

If you are using Palo Alto Firewalls it could be at times difficult to see whether or not packets are being dropped. If they are being dropped by a policy, you can see that in the traffic logs, but if they are being dropped do to illegal tcp operation, which could manifest itself from asymmetric packets (you see the syn come in zone A leave Zone B and return zone C,) the session has timed out, but the application is using a longer timeout and tries to use a dead session, or many other reasons.

No matter what the issue is, the most detailed information comes from debugging the specific stream, here is a cheat sheet of commands I have put together. Please note that the traffic is seen uni-directional from a packet level, so you have to set it up as IP-1 <-> IP-2 and IP-2 <-> IP-1.

Disclaimer, please ensure you can handle the load of running these debug commands.

How to troubleshoot dropped packets:

1. Check to see if any debugs are in progress

debug dataplane packet-diag show setting

2. Clear all old debug settings:

debug dataplane packet-diag set capture off
debug dataplane packet-diag clear capture all
debug dataplane packet-diag clear filter all
debug dataplane packet-diag set filter off

3. Set new filter:
debug dataplane packet-diag set filter match source 1.1.1.1 destination 2.2.2.2
debug dataplane packet-diag set filter match source 2.2.2.2 destination 1.1.1.1
debug dataplane packet-diag set filter on

4. Configure files:
debug dataplane packet-diag set capture stage firewall file sample.fw
debug dataplane packet-diag set capture stage drop file sample.drop
debug dataplane packet-diag set capture stage transmit file sample.tx
debug dataplane packet-diag set capture stage receive file sample.rx

5. Enable capture debugs
debug dataplane packet-diag set capture on

6. See why the packets filtered are being dropped:
show counter global filter packet-filter yes delta yes

7. Remove your debug configuration when you are done!!! -> Step 2.

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>