Packet captures for traffic passing through
the network data ports on a Palo Alto Networks firewall are performed
by the dataplane CPU. To capture traffic that passes through the
management interface, you must
Take
a Packet Capture on the Management Interface, in which case
the packet capture is performed on the management plane.
When
a packet capture is performed on the dataplane, the packet capture
filter is used differently by the ingress stage, compared to the
firewall, drop, and egress capture stages. The ingress stage uses
the packet capture filter to copy individual packets that match
the filter to the capture file. Packets that fail packet-parsing checks
are dropped before being captured. The firewall, drop, and egress
capture stages use the same packet capture filter to mark all new
sessions that match the filter. Because each session, as recorded
in the session tables, identifies both client-to-server and server-to-client
connections, any traffic, in either direction, that matches to the
flagged session will be copied to the firewall-stage and transmit-stage
capture files. Likewise, any dropped traffic (post receive stage)
in either direction that matches to a flagged session will be copied
to the drop-stage capture file.
On firewall models that include
a network processor, traffic that meets certain pre-determined criteria
by Palo Alto Networks may be offloaded for handling by the network
processor. Such offloaded traffic will not reach the dataplane CPU
and will, therefore, not be captured. To capture offloaded traffic,
you must use the CLI to turn off the hardware offload feature.
Common
types of traffic that may be offloaded include non-decrypted SSL
and SSH traffic (which being encrypted cannot be usefully inspected
beyond the initial SSL/SSH session setup), network protocols (such
as OSPF, BGP, RIP), and traffic that matches an application-override
policy. Some types of traffic will never be offloaded, such as ARP,
all non-IP traffic, IPSec, and VPN sessions. Individual SYN, FIN,
and RST packets, even for session traffic that has been offloaded,
will never be offloaded, and will always be passed through to the
dataplane CPU, once recognized as such by the network processor.
Hardware offload is supported on the following firewalls: PA-3200 Series, PA-5200 Series,
PA-5450, and PA-7000 Series firewall.
Disabling hardware offload may increase
the dataplane CPU usage. If dataplane CPU usage is already high,
you may want to schedule a maintenance window before disabling hardware
offload.