Take a Custom Application Packet Capture
You can configure a Palo Alto Networks firewall to take a packet capture based on an application name and filters that you define. You can then use the packet capture to troubleshoot issues with controlling an application. When configuring an application packet capture, you must use the application name defined in the App-ID database. You can view a list of all App-ID applications using Applipedia or from the web interface on the firewall in ObjectsApplications.
- Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
- Turn on the application packet capture and define filters.
admin@PA-200>set application dump on application <application-name> rule <rule-name>For example, to capture packets for the facebook-base application that matches the security rule named rule1, run the following CLI command:
admin@PA-200>set application dump on application facebook-base rule rule1You can also apply other filters, such as source IP address and destination IP address.
- View the output of the packet capture settings to ensure
that the correct filters are applied. The output appears after enabling
the packet capture.In the following output, you see that application filtering is now on based on the facebook-base application for traffic that matches rule1.
Application setting: Application cache : yes Supernode : yes Heuristics : yes Cache Threshold : 16 Bypass when exceeds queue limit: no Traceroute appid : yes Traceroute TTL threshold : 30 Use cache for appid : no Unknown capture : on Max. unknown sessions : 5000 Current unknown sessions : 0 Application capture : on Max. application sessions : 5000 Current application sessions : 0 Application filter setting: Rule : rule1 From : any To : any Source : any Destination : any Protocol : any Source Port : any Dest. Port : any Application : facebook-base Current APPID Signature Signature Usage : 21 MB (Max. 32 MB) TCP 1 C2S : 15503 states TCP 1 S2C : 5070 states TCP 2 C2S : 2426 states TCP 2 S2C : 702 states UDP 1 C2S : 11379 states UDP 1 S2C : 2967 states UDP 2 C2S : 755 states UDP 2 S2C : 224 states
- Access Facebook.com from a web browser to generate Facebook
traffic and then turn off application packet capture by running
the following CLI command:
admin@PA-200>set application dump off
- View/export the packet capture.
- Log in to the web interface on the firewall and select MonitorLogsTraffic.
- In the log entry that you are interested in, click the green packet capture icon in the second column.
- View the packet capture directly or Export it to your computer. The following screen capture shows the facebook-base packet capture.
Take a Packet Capture for Unknown Applications
Take a Packet Capture for Unknown Applications Palo Alto Networks firewalls automatically generate a packet capture for sessions that contain an application that it cannot ...
Manage Custom or Unknown Applications
Manage Custom or Unknown Applications Palo Alto Networks provides weekly application updates to identify new App-ID signatures. By default, App-ID is always enabled on the ...
Take an Application Packet Capture
Take an Application Packet Capture The following topics describe two ways that you can configure the firewall to take application packet captures: Take a Packet ...
Building Blocks for a Custom Packet Capture
Building Blocks for a Custom Packet Capture The following table describes the components of the Monitor Packet Capture page that you use to configure packet ...
Packet Capture Overview
Packet Capture Overview You can configure a Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture. Custom Packet Capture ...
Disable Hardware Offload
Disable Hardware Offload Packet captures for traffic passing through the network data ports on a Palo Alto Networks firewall are performed by the dataplane CPU. ...
Take Packet Captures
Take Packet Captures All Palo Alto Networks firewalls allow you to take packet captures (pcaps) of traffic that traverses the management interface and network interfaces ...
Take a Custom Packet Capture
Take a Custom Packet Capture Custom packet captures allow you to define the traffic that the firewall will capture. To ensure that you capture all ...
Monitor > Packet Capture
Monitor > Packet Capture All Palo Alto Networks firewalls have a built-in packet capture (pcap) feature you can use to capture packets that traverse the ...