Disable Hardware Offload
Packet captures for traffic passing through the network data ports on a Palo Alto Networks firewall are performed by the dataplane CPU. To capture traffic that passes through the management interface, you must Take a Packet Capture on the Management Interface, in which case the packet capture is performed on the management plane.
When a packet capture is performed on the dataplane, the packet capture filter is used differently by the ingress stage, compared to the firewall, drop, and egress capture stages. The ingress stage uses the packet capture filter to copy individual packets that match the filter to the capture file. Packets that fail packet-parsing checks are dropped before being captured. The firewall, drop, and egress capture stages use the same packet capture filter to mark all new sessions that match the filter. Because each session, as recorded in the session tables, identifies both client-to-server and server-to-client connections, any traffic, in either direction, that matches to the flagged session will be copied to the firewall-stage and transmit-stage capture files. Likewise, any dropped traffic (post receive stage) in either direction that matches to a flagged session will be copied to the drop-stage capture file.
On firewall models that include a network processor, traffic that meets certain pre-determined criteria by Palo Alto Networks may be offloaded for handling by the network processor. Such offloaded traffic will not reach the dataplane CPU and will, therefore, not be captured. To capture offloaded traffic, you must use the CLI to turn off the hardware offload feature.
Common types of traffic that may be offloaded include non-decrypted SSL and SSH traffic (which being encrypted cannot be usefully inspected beyond the initial SSL/SSH session setup), network protocols (such as OSPF, BGP, RIP), and traffic that matches an application-override policy. Some types of traffic will never be offloaded, such as ARP, all non-IP traffic, IPSec, and VPN sessions. Individual SYN, FIN, and RST packets, even for session traffic that has been offloaded, will never be offloaded, and will always be passed through to the dataplane CPU, once recognized as such by the network processor.
Hardware offload is supported on the following firewalls: PA-3050, PA-3060, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewall.
Disabling hardware offload may increase the dataplane CPU usage. If dataplane CPU usage is already high, you may want to schedule a maintenance window before disabling hardware offload.
- Disable hardware offload by running the following
admin@PA-7050>set session offload no
- After the firewall captures the required traffic, enable
hardware offload by running the following CLI command:
admin@PA-7050>set session offload yes
Take Packet Captures
Take Packet Captures All Palo Alto Networks firewalls allow you to take packet captures (pcaps) of traffic that traverses the management interface and network interfaces ...
Take a Custom Packet Capture
Take a Custom Packet Capture Custom packet captures allow you to define the traffic that the firewall will capture. To ensure that you capture all ...
Building Blocks for a Custom Packet Capture
Building Blocks for a Custom Packet Capture The following table describes the components of the Monitor Packet Capture page that you use to configure packet ...
Identify Sessions That Use an Excessive Percentage of the Packet Buffer
Identify Sessions That Use an Excessive Percentage of the Packet Buffer When a firewall exhibits signs of resource depletion, it might be experiencing an attack ...
Discard a Session Without a Commit
Discard a Session Without a Commit Perform this task to permanently discard a session, such as a session that is overloading the packet buffer. No ...
Packet Capture Overview
Packet Capture Overview You can configure a Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture. Custom Packet Capture ...