Tech Note: Packet Based Troubleshooting

Using Packet Filtering, Capture and Debug Logs in PAN-OS 3.1 and later

October 2011

Palo Alto Networks

232 E. Java Dr.
Sunnyvale, CA 94089
408.738.7700
www.paloaltonetworks.com
Table of Contents
Overview............................................................................................................................................. 3
Packet filter, capture and debug logs ................................................................................................. 3
Section 1: Packet filters ...................................................................................................................... 4
Configuring packet filters ................................................................................................................ 4
Filter match conditions .................................................................................................................... 4
Configuring packet filter match ................................................................................................... 4
Viewing the packet filter .............................................................................................................. 5
Clearing a filter ............................................................................................................................ 5
Pre-parse-match ......................................................................................................................... 6
Section 2: Packet captures................................................................................................................. 6
Configuring packet capture-CLI ...................................................................................................... 6
Packet capture stage .................................................................................................................. 6
Trigger captures .......................................................................................................................... 7
Capture file .................................................................................................................................. 8
Viewing and deleting PCAP ........................................................................................................ 8
Clearing capture .......................................................................................................................... 9
Configuring packet capture-Web Management .............................................................................. 9
PCAP examples ............................................................................................................................... 10
Case1: Traffic without NAT ........................................................................................................... 10
Case 2: Traffic with Source NAT .................................................................................................. 11
Section 3: Debug log ........................................................................................................................ 14
Configuring packet log .................................................................................................................. 14
Viewing debug log ........................................................................................................................ 15
Clearing debug log file .................................................................................................................. 15
Debug log example .......................................................................................................................... 15
Summary .......................................................................................................................................... 17
Appendix .......................................................................................................................................... 18
Changes overview ........................................................................................................................ 18
CLI differences PANOS 3.0 to PANOS 3.1 .................................................................................. 18

© 2010 Palo Alto Networks Page 2

Overview
The purpose of this document is provide background information on PAN-OS 3.1 Packet
Filtering, Capture and Debug Log functionality as well as recommended workflow when
using those features in problem diagnostics. The commands covered in this document is
applicable to all the hardware platforms

Packet filter, capture and debug logs

In PAN-OS 3.1 packet filtering , logging and packet capturing have been separated and
subsequently, configuration operational commands are grouped under three distinct areas:
• Packet filter
• Packet capture
• Debug logs
All of these functions can be configured, viewed and cleared using the operational mode
command debug dataplane packet-diag

admin@PA-4050> debug dataplane packet-diag

> clear Clear packet-related diagnosis parameters
> set Set packet-related debugging parameters
> show Show packet-related diagnosis information

This document is divided into the following sections:

1. Packet Filters
2. Packet Captures
3. Debug Logs

© 2010 Palo Alto Networks Page 3

Section 1: Packet filters
Very seldom is there a single flow through the firewall at any given time. When trying to diagnose
problems, it is important to define filters to minimize the performance degradation and to ensure
other extraneous data is not captured. PAN-OS supports configuring packet filters to define
interesting traffic. The packet filters can be applied to accomplish the following:
• Enable packet capture at multiple capturing points
• Track global counter changes
• Enable packet debug logging

Configuring packet filters

The debug dataplane packet-diag set filter command is used to turn on/off and define the match
condition for packet filters

admin@PA-4050> debug dataplane packet-diag set filter

> match specify debug filter
> off Disable debug filter
> on Enable debug filter
> pre-parse-match Match value for packet before parsing

Packet filter is enabled using the command “debug dataplane packet-diag set filter on”

Filter match conditions

Packet filters can be configured the match on the following options:
• Source and destination IP address
• Source and destination ports
• IP protocol
• Ingress interface
• Include, exclude or capture only non-IP
A maximum of four filters can be configured on the firewall. All the parameters within a filter must
match within a packet for it to be captured. When multiple filters are configured, packets matching
any of packet filters will be captured.

Configuring packet filter match

The examples below show different packet filter match statements

Match a source IP address

admin@PA-4050> debug dataplane packet-diag set filter match source

1.1.1.5

© 2010 Palo Alto Networks Page 4

Match source and destination IP address, destination port and IP protocol.
In this example all the parameters defined in the filter must match for the packet to be captured - i.e.
the source IP, destination IP, port and the protocol in the packet must match to trigger the filter.

admin@PA-4050> debug dataplane packet-diag set filter match source

1.1.1.5 destination 2.1.1.5 destination-port 80 protocol 6

Viewing the packet filter

The packet filters configured can be viewed using the command debug dataplane packet-diag
show setting

admin@PA-4050> debug dataplane packet-diag show setting

-------------------------------------------------------------------------
Packet diagnosis setting:
-------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no
Index 1: 1.1.1.50[0]->0.0.0.0[0], proto 0
ingress-interface any, egress-interface any, exclude non-IP
Index 2: 1.1.1.5[0]->2.1.1.5[80], proto 6
ingress-interface any, egress-interface any, exclude non-IP
-------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Aggregate-to-single-file: yes
Features:
-------------------------------------------------------------------------
Packet capture
Enabled: no
-------------------------------------------------------------------------

In the above example, there are two packet filters configured. The packets matching either one of
the filters are captured.

Clearing a filter
PAN-OS device supports four concurrent filters to be configured. Existing filters must be removed
in order to configure new filters. Filters are referenced by index numbers. To clear a filter use the
command debug dataplane packet-diag clear filter

© 2010 Palo Alto Networks Page 5

admin@PA-4050> debug dataplane packet-diag clear filter
all Delete all filters
<value> <1-4> Filter index

Note: The filters are not renumbered if a filter is cleared.

Pre-parse-match
The pre-parse-match option is added for advanced troubleshooting purposes. From the moment
packet enters ingress port it has to go through number of processing steps before it gets parsed for
match against pre-configured filters. Therefore, it is entirely possible that packet, due to some
failure, never gets to filtering stage. Typical example would be route lookup – if this fails, a packet
will never reach the filter (although interface counters can be used to quickly identify this error
condition). Setting pre-parse-match emulates positive match for every packet entering the system
so we can capture even those packets that don’t make it to filtering process. If packet does
manage to get through to the filtering stage, it is then processed according to filter configuration
and match is discarded if packet fails to meet filtering criteria. By default pre-parsed packets are
not matched. To enable pre-parse match use the command
admin@PA-4050(active)> debug dataplane packet-diag set filter pre-parse-
match yes

Section 2: Packet captures

PAN-OS supports capturing packet that be analyzed later for troubleshooting, or for detecting
unknown applications. Only the packets that match the filters are captured. The PCAPs are locally
stored on the device in user-defined file. The PCAP file can be viewed from the CLI or copied to an
external host to view using a PCAP utility. The PCAPS have a 1% disk usage quota with a
minimum storage space size of 100MB for each type

Configuring packet capture-CLI

To enable packet capture and to set the capture options use the operational mode command
debug dataplane packet-diag set capture.

admin@PA-4050> debug dataplane packet-diag set capture

> off Disable debug capture
> on Enable debug capture
> stage Packet capture at processing stage
> trigger Packet capture triggered by event

To enable packet capture use the command debug dataplane packet-diag set capture on

Packet capture stage

Packets can be captured at different packet processing stages. User may specify capture PCAP
file attributes for the following points

© 2010 Palo Alto Networks Page 6

admin@PA-4050> debug dataplane packet-diag set capture stage
> drop Drop stage
> firewall Firewall stage
> receive Receive stage
> transmit Transmit stage

• drop: when packet processing encounters an error and this packet will be discarded
• firewall: packet has a session match, or a first packet with session successfully created
• receive: packet received on dataplane CPU
• transmit: packet is to be transmitted on dataplane CPU
The receive and transmit stage capture can be viewed as shown in the figure shown below

A: First packet from a source host received by the firewall

B: First packet transit transmitted after processing
C: Response packet received. This is response to the packet sent out in stage B
D: Response packet sent to the end host.

You can also define the maximum number of bytes to capture and also the maximum packets to be
captured for each stage.

Trigger captures
Packet capture is conditional for a given session, it starts when triggering event occurs. Currently
the only trigger event is “application”, which means to trigger when the application changes from
one to another.. For example when user access gmail, the session starts off as web-browsing and
then switches to gmail. It is possible to define the max byte count before the filter stops capturing,
and also the max packets to be captured. A packet match filter is required for application trigger to
capture packets.

admin@PA-4050> debug dataplane packet-diag set capture trigger application

+ byte-count Max. byte count before filter stops
+ packet-count Max. packet count before filter stops
* file Saved file name
* from From application
* to To application

© 2010 Palo Alto Networks Page 7

Capture file
PCAPs are stored in the file defined by the user. Files can be defined for each packet capture
stage and/or triggered captures. Multiple stages for PCAP can be enabled simultaneously. The
command for setting capture file is shown

debug dataplane packet-diag set capture stage

<drop/firewall/receive/transmit> file <file name>

debug dataplane packet-diag set capture trigger application from

<application name> to <application name> file <file name>

Note: If you are capturing packets at different stages, it recommended having a separate PCAP file
for each stage of the capture

Viewing and deleting PCAP

The PCAP file can be viewed using the command view-pcap. The command syntax is

view-pcap filter-pcap <file name>

You can view all the file names using “?” in place of the filename.

The view-pcap command provides user with lots of different options to view the PCAP. Some of the
options include, hex, hex-ascii, no-dns-lookup, no-port-lookup. To view the complete option list, use
“?” as the first argument after “view-pcap”. To view the PCAP with options use the following
command:

view-pcap <option> yes filter-pcap <file name>

To view the pcap in real time use the command

view-pcap follow yes filter-pcap <file name>

The pcap file can also be exported to an external host to be viewed using any PCAP viewing utility.
TFTP and SCP are the supported methods.

scp export filter-pcap from <file name> to <username@host:path>

tftp export filter-pcap from <file name> to <destination IP>

Note: The PCAP file is created only when the traffic traverses the firewall.

© 2010 Palo Alto Networks Page 8

To delete the PCAP files use the command

delete debug-filter file <file name>

Note:

Clearing capture
To clear capture use the debug dataplane packet-diag clear command. More specific options to
clear a particular stage and trigger are also available

admin@PA-4050> debug dataplane packet-diag clear capture

> all all
> stage Capture at processing stage
> trigger Capture triggered by event

Configuring packet capture-Web Management

Starting with PAN-OS 4.0 packet capture can be configured from the Web management. In order to
configure packet capture, navigate to Monitor>Packet Capture

© 2010 Palo Alto Networks Page 9

Select Manage filters to add or view PCAP filters

Click on the filtering button to enable the configured packet filter.

From the Capture Files section, set capture to ON and click on “add” to add capture file and stage.
The PCAP file will be created when traffic traverses the firewall. PCAPs can be viewed from the
right hand pane of the PCAP window.

PCAP examples

Case1: Traffic without NAT

In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination
172.16.101.100

The workflow for enabling PCAP is as follows:

1. Apply the packet filters for the source and destination

2. Enable the packet filter

© 2010 Palo Alto Networks Page 10

 3. Specify the packet capture stage and the file
4. Enable packet capture
5. Initiate traffic between the hosts
6. Disable packet capture
7. Analyze the PCAP

debug dataplane packet-diag set filter match source 172.16.100.87

destination 172.16.101.100 destination-port 21 protocol 6
debug dataplane packet-diag set filter on
debug dataplane packet-diag set capture stage firewall file ftp-pcap
debug dataplane packet-diag set capture on
Initiate traffic
debug dataplane packet-diag set capture off

admin@PA-4050> view-pcap filter-pcap ftp-pcap

reading from file /opt/panlogs/session/pan/filters/ftp-pcap, link-type

EN10MB (Ethernet)
22:25:59.892789 IP 172.16.100.87.44833 > 172.16.101.100.ftp: S
2264517141:2264517141(0) win 5840 <mss 1460,sackOK,timestamp 730886
439 0,nop,wscale 7>
22:25:59.892980 IP 172.16.101.100.ftp > 172.16.100.87.44833: S
3138829586:3138829586(0) ack 2264517142 win 17520 <mss 1460,nop,wsc
ale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
22:25:59.893066 IP 172.16.100.87.44833 > 172.16.101.100.ftp: . ack 1 win
46 <nop,nop,timestamp 730886440 0>
22:25:59.895180 IP 172.16.101.100.ftp > 172.16.100.87.44833: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 6975543 730886440>
22:26:11.324835 IP 172.16.100.87.42430 > 172.16.101.100.carrius-rshell: S
2290456784:2290456784(0) win 5840 <mss 1460,sackOK,times
tamp 730897872 0,nop,wscale 7>

Case 2: Traffic with Source NAT

In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination
172.16.101.100. The source 172.16.100.87 is translated using dynamic-ip to egress interface IP of
172.16.101.1. Packets are captured at receive stage, firewall stage and transmit stage, with each
stage configured with its own PCAP file.

admin@PA-4050> debug dataplane packet-diag show setting

-------------------------------------------------------------------------
Packet diagnosis setting:
-------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no

© 2010 Palo Alto Networks Page 11

 Index 1: 172.16.100.87[0]->172.16.101.100[21], proto 6
ingress-interface any, egress-interface any, exclude non-IP
-------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Aggregate-to-single-file: yes
Features:
-------------------------------------------------------------------------
Packet capture
Enabled: yes
Stage receive : file ftp-rx byte-count 0 packet-count 0
Stage firewall : file ftp-fw byte-count 0 packet-count 0
Stage transmit : file ftp-tx byte-count 0 packet-count 0
-------------------------------------------------------------------------

In the example the IP address and the port numbers of the packet are as shown

Original packet

Source IP/port Destination IP/port

172.16.100.87/32919 172.16.101.100/21

Translated packet

Source IP/port Destination IP/port

172.16.101.1/43828 172.16.101.100/21

When NAT is configured, it is important to note the source and destination IP addresses of the
packet at different capture points.

Receive and firewall stage:

Receive and firewall stage always captures pre NAT addresses
The first packet received by the firewall will have source IP/port= 172.16.100.87/32919 and the
destination IP/port=172.16.101.100/21. This is the original packet
The response packet will have source IP/port=172.16.101.100/21 destination
IP/port=172.16.101.1/43828. This is original response packet.

PCAP at receive stage

admin@PA-4050> view-pcap filter-pcap ftp-rx
reading from file /opt/panlogs/session/pan/filters/ftp-rx, link-type
EN10MB (Ethernet)
17:42:03.364844 IP 172.16.100.87. 32919 > 172.16.101.100.ftp: S
1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370
0,nop,wscale 7>

© 2010 Palo Alto Networks Page 12

17:42:03.366965 IP 172.16.101.100.ftp > 172.16.101.1.43828: S
3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale
0,nop,nop,times tamp 0 0,nop,nop,sackOK>
17:42:03.367102 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack
3378337396 win 46 <nop,nop,timestamp 1059470374 0>
17:42:03.382249 IP 172.16.101.100.ftp > 172.16.101.1.43828: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374>
17:42:03.382756 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack 43 win
46 <nop,nop,timestamp 1059470389 10260900>

PCAP at firewall stage

admin@PA-4050> view-pcap filter-pcap ftp-fw
reading from file /opt/panlogs/session/pan/filters/ftp-fw, link-type
EN10MB (Ethernet)
17:42:03.365056 IP 172.16.100.87.32919 > 172.16.101.100.ftp: S
1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370
0,nop,wscale 7>
17:42:03.367013 IP 172.16.101.100.ftp > 172.16.101.1.43828: S
3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale
0,nop,nop,times tamp 0 0,nop,nop,sackOK>
17:42:03.367152 IP 172.16.100.87.32919 > 172.16.101.100.ftp: . ack
3378337396 win 46 <nop,nop,timestamp 1059470374 0>
17:42:03.382293 IP 172.16.101.100.ftp > 172.16.101.1.43828: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374>

Transmit stage:
Receive and firewall stage always captures post NAT addresses
The first packet transmitted by the firewall will have source IP/port=172.16.101.1/43828 and the
destination IP/port=172.16.101.100/21, i.e. the translated packet

The response packet transmitted by the firewall will have source IP/port=172.16.101.100/21 and
destination IP/port=172.16.100.87/32919. The destination IP is the IP that is translated to the
original address from the response packet

PCAP at transmit stage

admin@PA-4050> view-pcap filter-pcap ftp-tx
reading from file /opt/panlogs/session/pan/filters/ftp-tx, link-type
EN10MB (Ethernet)
17:42:03.365129 IP 172.16.101.1.43828 > 172.16.101.100.ftp: S
1269231740:1269231740(0) win 5840 <mss 1460,sackOK,timestamp 1059470370
0,nop,wscale 7 >
17:42:03.367057 IP 172.16.101.100.ftp > 172.16.100.87.32919: S
3378337395:3378337395(0) ack 1269231741 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:42:03.367196 IP 172.16.101.1.43828 > 172.16.101.100.ftp: . ack
3378337396 win 46 <nop,nop,timestamp 1059470374 0>
17:42:03.382689 IP 172.16.101.100.ftp > 172.16.100.87.32919: P 1:43(42)
ack 1 win 17520 <nop,nop,timestamp 10260900 1059470374>
17:42:03.382816 IP 172.16.101.1.43828 > 172.16.101.100.ftp: . ack 43 win
46 <nop,nop,timestamp 1059470389 10260900>

© 2010 Palo Alto Networks Page 13

17:42:03.383092 IP 172.16.101.1.43828 > 172.16.101.100.ftp: P 0:13(13)
ack 43 win 46 <nop,nop,timestamp 1059470390 10260900>

Section 3: Debug log

The debug log provides a packet navigation trail through various packet processing stage of the
firewall. The default method of capturing the debug log is to aggregate the logs to a single file,
called“pan_packet_diag.log.” It is a good practice to apply packet filters to restrict the flows that are
logged.

Configuring packet log

To enable packet logging and to set the log options use the operational mode command debug
dataplane packet-diag set log.

admin@PA-4050> debug dataplane packet-diag set log

> feature Enable feature/module to log
> log-option Logging output options
> off Disable debug logging
> on Enable debug logging

To enable packet capture use the command debug dataplane packet-diag set log on

PAN-OS offers multiple features to log packets. Each feature can have sub features where packets
can be logged.

admin@PA-4050> debug dataplane packet-diag set log feature

> all all
> appid appid
> ctd ctd
> flow flow
> misc misc
> module module
> pow pow
> proxy proxy
> ssl ssl
> tcp tcp
> tunnel tunnel
> zip zip

admin@PA-4050> debug dataplane packet-diag set log feature flow

ager ager
all all
arp arp
basic basic
ha ha
np np
receive receive

© 2010 Palo Alto Networks Page 14

The most commonly used feature for troubleshooting is the “flow basic”. In PAN-OS 3.1, the
default behavior is for all the debug logs be aggregated a to single file “pan_packet_diag.log”

Viewing debug log

Debug log can be viewed from the CLI using one of the two commands
1. less
2. tail

less dp-log pan_packet_diag.log

- Displays the all the contents of the debug file, starting at the beginning of the file.

tail dp-log pan_packet_diag.log

-Displays the last 10 lines of the debug file

tail command by default displays the last 10 lines of the debug file. To output the last N lines,
instead of the last 10 use the command
tail lines <value> dp-log pan_packet_diag.log
where value is 1-65535

To follow the debug log in realtime

tail follow yes dp-log pan_packet_diag.log

Clearing debug log file

It is good practice to clear the log before enabling debug to capture traffic. Log files can be cleared
using the command:

debug dataplane packet-diag clear log log

Note:
1. For the PA-5000 series of firewall the command to view debug log is less dp0-log
pan_packet_diag.log
2. For the PA-200 use the command less mp-log pan_packet_diag.log

Debug log example

In this example, we capture packets for all FTP traffic from source 172.16.100.87 to destination
172.16.101.100

The workflow for enabling PCAP is as follows

© 2010 Palo Alto Networks Page 15

 1. Apply the packet filters for the source and destination
2. Enable the packet filter
3. Specify the log feature
4. Clear debug log file
5. Enable debug log
6. Initiate traffic between the hosts
7. Disable debug
8. Analyze the logs

debug dataplane packet-diag set filter match source 172.16.100.87

destination 172.16.101.100 destination-port 21 protocol 6
debug dataplane packet-diag set filter on
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag clear log log
debug dataplane packet-diag set log on
- Initiate traffic
debug dataplane packet-diag set log off

admin@PA-4050> less dp-log pan_packet_diag.log

== Jun 21 19:14:39 ==
Packet received at np stage
Packet info: len 74 port 16 interface 16
wqe index 229308 packet 0x0x8000000416fdc0e6
Packet decoded dump:
L2: 00:14:c1:4b:d8:f9->00:1b:17:14:4f:10, type 0x0800
IP: 172.16.100.87->172.16.101.100, protocol 6
version 4, ihl 5, tos 0x00, len 60,
id 30220, frag_off 0x4000, ttl 64, checksum 41683
TCP: sport 33987, dport 21, seq 1819534672, ack 0,
reserved 0, offset 10, window 5840, checksum 27398,
flags 0x0002 ( SYN), urgent data 0
TCP option:
00000000: 02 04 05 b4 04 02 08 0a 3a 54 93 5c 00 00 00 00 ........
:T.\....
00000010: 01 03 03 07 ....

== Jun 21 19:14:39 ==
Packet received at ingress stage
Packet info: len 74 port 16 interface 16
wqe index 229308 packet 0x0x8000000416fdc0e6
Packet decoded dump:
L2: 00:14:c1:4b:d8:f9->00:1b:17:14:4f:10, type 0x0800
IP: 172.16.100.87->172.16.101.100, protocol 6
version 4, ihl 5, tos 0x00, len 60,
id 30220, frag_off 0x4000, ttl 64, checksum 41683
TCP: sport 33987, dport 21, seq 1819534672, ack 0,
reserved 0, offset 10, window 5840, checksum 27398,
flags 0x0002 ( SYN), urgent data 0
TCP option:
00000000: 02 04 05 b4 04 02 08 0a 3a 54 93 5c 00 00 00 00 ........

© 2010 Palo Alto Networks Page 16

:T.\....
00000010: 01 03 03 07 ....
Flow lookup
No active flow found, enqueue to create session

== Jun 21 19:14:39 ==

PAN-OS allows for searching specific keywords within the log by typing /<pattern>. These are case
sensitive. For example to see the route lookup in the above example you can type /Route

Summary
PAN-OS 3.1 offers restructured packet-related diagnosis facilities. The improvements with global
counters, filtering; debug logs and dataplane packet capture empowers firewall administrators to
troubleshoot issues with device or network.

© 2010 Palo Alto Networks Page 17

Appendix
Changes overview
From the functional requirements point of view, changes and enhancements affect CLI
hierarchy, improvements with global counters, filtering; debug logs and dataplane packet
capture.
More specifically, these enhancements addressed the following:
• Restructured CLI hierarchy
• Separation of data filtering and data collection
• More matching fields in packet filter configuration
o Non-IP, IPv6 and raw packets, i.e. packets not subject to firewalling
• Multiple packet capture points
• Aggregate logs to a single file
• Capture file size increased to 1GB from 20MB
• Capture options moved out of filter to packet capture setting
• Removed drop-filter configuration

CLI differences PANOS 3.0 to PANOS 3.1

PANOS 3.0 PANOS 3.1

debug dataplane <on debug | off> debug dataplane packet-diag set log <on | off>

debug dataplane set <module> <feature> debug dataplane packet-diag set log feature
<module> <feature>

debug dataplane mode <sync | no-sync> debug dataplane packet-diag set log log-option
aggregate-to-single-file <yes|no>

debug dataplane packet-diag set log log-option

throttle <yes | no>

debug dataplane get debug dataplane packet-diag show setting

debug dataplane unset debug dataplane packet-diag clear log feature

debug dataplane clear debug dataplane packet-diag clear log log

© 2010 Palo Alto Networks Page 18

debug dataplane filter <on|off|close>
debug dataplane filter set
debug dataplane drop-filter set
debug dataplane get
© 2010 Palo Alto Networks
debug dataplane packet-diag set capture <on |
off>
debug dataplane packet-diag set capture stage
firewall
debug dataplane packet-diag set capture stage
drop
debug dataplane packet-diag clear capture <all |
stage … | trigger …>
debug dataplane packet-diag set capture trigger
debug dataplane packet-diag show setting
Page 19