Documente Academic
Documente Profesional
Documente Cultură
Revision D
Contents
Overview ................................................................................................................................................................................. 3
PAN-OS 5.0 updates ................................................................................................................................................................ 3
Management PCAPs ............................................................................................................................................................. 3
Viewing Management PCAPS........................................................................................................................................... 3
Exporting Management PCAPs ........................................................................................................................................ 4
Debug Dataplane Changes ................................................................................................................................................... 4
Packet filter, capture and debug logs........................................................................................................................................ 4
Section 1: Packet filters ............................................................................................................................................................ 5
Configuring packet filters ..................................................................................................................................................... 5
Filter match conditions ......................................................................................................................................................... 5
Configuring packet filter match ........................................................................................................................................ 5
Viewing the packet filter ................................................................................................................................................... 6
Clearing a filter ................................................................................................................................................................. 6
Pre-parse-match ................................................................................................................................................................ 6
Section 2: Packet captures ........................................................................................................................................................ 7
Configuring packet capture-CLI ........................................................................................................................................... 7
Packet capture stage ............................................................................................................................................................. 7
Trigger captures ................................................................................................................................................................... 8
Capture file .......................................................................................................................................................................... 8
Viewing and deleting PCAP.................................................................................................................................................. 8
Clearing capture ................................................................................................................................................................... 9
Configuring packet capture-Web Management .................................................................................................................... 9
PCAP examples ...................................................................................................................................................................... 11
Case1: Traffic without NAT .............................................................................................................................................. 11
Case 2: Traffic with Source NAT ....................................................................................................................................... 11
Section 3: Debug log .............................................................................................................................................................. 14
Configuring packet log ....................................................................................................................................................... 14
Viewing debug log .............................................................................................................................................................. 14
Clearing debug log file ....................................................................................................................................................... 15
Debug log example ................................................................................................................................................................ 15
Clear debug log file ......................................................................................................................................................... 15
Disable debug ........................................................................................................................................................................ 16
Summary ................................................................................................................................................................................ 17
Revision History ................................................................................................................................................................... 18
[2]
Overview
The purpose of this document is provide background information on PAN-OS 3.1 and later Packet Filtering, Capture and
Debug Log functionality as well as recommended workflow when using those features in problem diagnostics. The
commands covered in this document is applicable to all the hardware platforms
The management PCAPS can be viewed using the view-pcap mgmt-pcap mgmt.pcap command. Every time TCPDUMP is
run, the file old mgmt.pcap file is overwritten with new packet captures.
[3]
P 3878859509:3878860271(762) ack
.
P
P
.
P
P
.
1. On PA-200 all debug logs are now stored in the file pan_task_1.log. To view debug logs use the command tail
follow yes mp-log pan_task_1.log or less mp-log pan_task_1.log
2. In PAN-OS 5.0 and later, you can run a command to aggregate the dataplane logs into one log file. After the debug
logs have been collected, disable the flow basic debug and then run the following command: debug dataplane
packet-diag aggregate-logs.
This command will result in all dataplane logs to be aggregated to packet-diag. This is helpful on PA-5000 Series
where there are multiple dataplanes. You can then view the aggregated logs collected from all of the dataplanes in
one single file.
Example of enabling debug log in PAN-OS 5.0 is shown below:
debug dataplane packet-diag clear log log
debug dataplane packet-diag set filter match source 172.16.100.87 destination
172.16.101.100 destination-port 21 protocol 6
debug dataplane packet-diag set filter on
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on
To aggregate the dataplane logs, disable the debug logs and then wait about a minute to allow the logs to be fully
written and then run: debug dataplane packet-diag aggregate-logs. This will combine the dataplane
logs into a single file named single pan_packet_diag.log file.
[4]
[5]
The packet filters configured can be viewed using the command debug dataplane packet-diag show setting
Clearing a filter
PAN-OS device supports four concurrent filters to be configured. Existing filters must be removed in order to configure new
filters. Filters are referenced by index numbers. To clear a filter use the command debug dataplane packet-diag clear filter
Pre-parse-match
The pre-parse-match option is added for advanced troubleshooting purposes. From the moment packet enters ingress port it
has to go through number of processing steps before it gets parsed for match against pre-configured filters. Therefore, it is
entirely possible that packet, due to some failure, never gets to filtering stage. Typical example would be route lookup if
this fails, a packet will never reach the filter (although interface counters can be used to quickly identify this error condition).
Setting pre-parse-match emulates positive match for every packet entering the system so we can capture even those packets
that dont make it to filtering process. If packet does manage to get through to the filtering stage, it is then processed
according to filter configuration and match is discarded if packet fails to meet filtering criteria. By default pre-parsed packets
are not matched. To enable pre-parse match use the command
admin@PA-4050(active)> debug dataplane packet-diag set filter pre-parse2013, Palo Alto Networks, Inc.
[6]
match yes
[7]
Trigger captures
Packet capture is conditional for a given session, it starts when triggering event occurs. Currently the only trigger event is
application, which means to trigger when the application changes from one to another.. For example when user access
gmail, the session starts off as web-browsing and then switches to gmail. It is possible to define the max byte count before
the filter stops capturing, and also the max packets to be captured. A packet match filter is required for application trigger to
capture packets.
Capture file
PCAPs are stored in the file defined by the user. Files can be defined for each packet capture stage and/or triggered captures.
Multiple stages for PCAP can be enabled simultaneously. The command for setting capture file is shown
The PCAP file can be viewed using the command view-pcap. The command syntax is
view-pcap follow
[8]
The pcap file can also be exported to an external host to be viewed using any PCAP viewing utility. TFTP and SCP are the
supported methods.
Clearing capture
To clear capture use the debug dataplane packet-diag clear command. More specific options to clear a particular stage and
trigger are also available
[9]
From the Capture Files section, set capture to ON and click on add to add capture file and stage.
The PCAP file will be created when traffic traverses the firewall. PCAPs can be viewed from the right hand pane of the PCAP
window.
[10]
PCAP examples
Case1: Traffic without NAT
In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100
The workflow for enabling PCAP is as follows:
1.
2.
3.
4.
5.
6.
7.
In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination 172.16.101.100. The
source 172.16.100.87 is translated using dynamic-ip to egress interface IP of 172.16.101.1. Packets are captured at receive
stage, firewall stage and transmit stage, with each stage configured with its own PCAP file.
[11]
------------------------------------------------------------------------Packet filter
Enabled:
yes
Match pre-parsed packet:
no
Index 1: 172.16.100.87[0]->172.16.101.100[21], proto 6
ingress-interface any, egress-interface any, exclude non-IP
------------------------------------------------------------------------Logging
Enabled:
no
Log-throttle:
no
Aggregate-to-single-file: yes
Features:
------------------------------------------------------------------------Packet capture
Enabled:
yes
Stage receive
: file ftp-rx byte-count 0 packet-count 0
Stage firewall
: file ftp-fw byte-count 0 packet-count 0
Stage transmit
: file ftp-tx byte-count 0 packet-count 0
------------------------------------------------------------------------In the example the IP address and the port numbers of the packet are as shown
Original packet
Source IP/port
Destination IP/port
172.16.100.87/32919
172.16.101.100/21
Translated packet
Source IP/port
Destination IP/port
172.16.101.1/43828
172.16.101.100/21
When NAT is configured, it is important to note the source and destination IP addresses of the packet at different capture
points.
Receive and firewall stage:
Receive and firewall stage always captures pre NAT addresses
The first packet received by the firewall will have source IP/port= 172.16.100.87/32919 and the destination
IP/port=172.16.101.100/21. This is the original packet
The response packet will have source IP/port=172.16.101.100/21 destination IP/port=172.16.101.1/43828. This is original
response packet.
PCAP at receive stage
admin@PA-4050> view-pcap filter-pcap ftp-rx
reading from file /opt/panlogs/session/pan/filters/ftp-rx, link-type
EN10MB (Ethernet)
17:42:03.364844 IP 172.16.100.87. 32919 > 172.16.101.100.ftp: S
1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370
0,nop,wscale 7>
2013, Palo Alto Networks, Inc.
[12]
Transmit stage:
Receive and firewall stage always captures post NAT addresses
The first packet transmitted by the firewall will have source IP/port=172.16.101.1/43828 and the destination
IP/port=172.16.101.100/21, i.e. the translated packet
The response packet transmitted by the firewall will have source IP/port=172.16.101.100/21 and destination
IP/port=172.16.100.87/32919. The destination IP is the IP that is translated to the original address from the response packet
PCAP at transmit stage
admin@PA-4050> view-pcap filter-pcap ftp-tx
reading from file /opt/panlogs/session/pan/filters/ftp-tx, link-type
EN10MB (Ethernet)
17:42:03.365129 IP 172.16.101.1.43828 > 172.16.101.100.ftp: S
1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370
0,nop,wscale 7 >
17:42:03.367057 IP 172.16.101.100.ftp > 172.16.100.87.32919: S
3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:42:03.367196 IP 172.16.101.1.43828 > 172.16.101.100.ftp: . ack
3378337396 win 46 <nop,nop,timestamp 1059470374 0>
17:42:03.382689 IP 172.16.101.100.ftp > 172.16.100.87.32919: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374>
17:42:03.382816 IP 172.16.101.1.43828 > 172.16.101.100.ftp: . ack 43 win
46 <nop,nop,timestamp 1059470389 10260900>
17:42:03.383092 IP 172.16.101.1.43828 > 172.16.101.100.ftp: P 0:13(13)
ack 43 win 46 <nop,nop,timestamp 1059470390 10260900>
[13]
admin@PA-4050>
> feature
> log-option
> off
> on
To enable packet capture use the command debug dataplane packet-diag set log on
PAN-OS offers multiple features to log packets. Each feature can have sub features where packets can be logged.
Debug log can be viewed from the CLI using one of the two commands
less
tail
Note:
2013, Palo Alto Networks, Inc.
[14]
1. For the PA-5000 series of firewall the command to view debug log is less dp0-log
pan_packet_diag.log
2. For the PA-200 use the command less mp-log pan_packet_diag.log
It is good practice to clear the log before enabling debug to capture traffic. Log files can be cleared using the command:
[15]
Disable debug
6. Analyze the logs
[16]
........
....
........
....
PAN-OS allows for searching specific keywords within the log by typing /<pattern>. These are case sensitive. For example to
see the route lookup in the above example you can type /Route
Summary
PAN-OS 3.1 and later offers restructured packet-related diagnosis facilities. The improvements with global counters,
filtering; debug logs and dataplane packet capture empowers firewall administrators to troubleshoot issues with device or
network.
[17]
Revision History
Date
9/3/2013
Revision
D
8/21/2013
10/23/2012
Comment
Update made in the Debug Dataplane Changes section. The
command debug dataplane packet-diag aggregate-logs should
be run after disabling the flow basic debugs.
Added Exporting Management PCAPs in the Management
PCAP section.
Updated with PAN-OS 5.0 changes.
9/10/2011
[18]