a Custom Application Packet Capture
You can configure a Palo Alto Networks firewall to take a packet capture based on an application name and filters that you define. You can then use the packet capture to troubleshoot issues with controlling an application. When configuring an application packet capture, you must use the application name defined in the App-ID database. You can view a list of all App-ID applications using Applipedia or from the web interface on the firewall in
- Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
- Turn on the application packet capture and define filters.admin@PA-200>set application dump on application <application-name> rule <rule-name>For example, to capture packets for the facebook-base application that matches the security rule named rule1, run the following CLI command:admin@PA-200>set application dump on application facebook-base rule rule1You can also apply other filters, such as source IP address and destination IP address.
- View the output of the packet capture settings to ensure that the correct filters are applied. The output appears after enabling the packet capture.In the following output, you see that application filtering is now on based on the facebook-base application for traffic that matches rule1.Application setting:Application cache : yesSupernode : yesHeuristics : yesCache Threshold : 16Bypass when exceeds queue limit: noTraceroute appid : yesTraceroute TTL threshold : 30Use cache for appid : noUnknown capture : onMax. unknown sessions : 5000Current unknown sessions : 0Application capture : onMax. application sessions : 5000Current application sessions : 0Application filter setting:Rule : rule1From : anyTo : anySource : anyDestination : anyProtocol : anySource Port : anyDest. Port : anyApplication : facebook-baseCurrent APPID SignatureSignature Usage : 21 MB (Max. 32 MB)TCP 1 C2S : 15503 statesTCP 1 S2C : 5070 statesTCP 2 C2S : 2426 statesTCP 2 S2C : 702 statesUDP 1 C2S : 11379 statesUDP 1 S2C : 2967 statesUDP 2 C2S : 755 statesUDP 2 S2C : 224 states
- Access Facebook.com from a web browser to generate Facebook traffic and then turn off application packet capture by running the following CLI command:admin@PA-200>set application dump off
- View/export the packet capture.
- Log in to the web interface on the firewall and select.MonitorLogsTraffic
- In the log entry that you are interested in, click the green packet capture icon in the second column.
- View the packet capture directly orExportit to your computer. The following screen capture shows the facebook-base packet capture.
Recommended For You
Recommended videos not found.