Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
17378
Created On 02/07/19 23:51 PM - Last Updated 02/07/19 23:52 PM
Resolution
LET ME FIX THAT FOR YOU: FLOW BASIC—
In the previous episode, we leveraged debug filters to allow the Palo Alto Networks firewall to collect packet captures we
could use for troubleshooting. But sometimes, you may need to look deeper into what's going on inside the firewall.
Flow basic is the equivalent of a packet capture on every stage inside the firewall process, from receiving the packet to
making security decisions, applying NAT, App-ID and so on, which makes it a very powerful tool.
Wield this power with due care as the process can be CPU intensive if your filters are set up broadly or lots of traffic needs
to be captured.
Before you get started, make sure the dataplane is not overloaded:
core 0 1 2 3 4 5
avg max avg max avg max avg max avg max avg max
0 0 0 1 0 0 0 0 0 0 0 0
0 0 0 1 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0
The first thing we need to do is set up filters. Last time I showed you how to do this from the GUI—this time, let's take a look
at the CLI:
First we're going to verify that nothing's been configured yet that could interfere with our new settings:
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Packet filter
Enabled: no
Match pre-parsed packet: no
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
--------------------------------------------------------------------------------
If anything's still configured, we can clear out all filters and previous flow basic logs using these commands:
We can now go ahead and create and enable the filters, making sure pre-parse is disabled. A second filter from the server
to the NAT IP on the external interface of the firewall will help capture returning packets before they are NAT'ed in the
'ingress stage.' More about that below:
> debug dataplane packet-diag set filter match source 192.168.0.34 destination
198.51.100.97 destination-port 80 protocol 6 non-ip exclude
> debug dataplane packet-diag set filter match source 198.51.100.97 destination
198.51.100.230 source-port 80 protocol 6 non-ip exclude
> debug dataplane packet-diag set filter on
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
--------------------------------------------------------------------------------
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
--------------------------------------------------------------------------------
When you're ready to enable logging, you'll see there are several features you can enable. Each one sets a capturing
process on a specific engine or daemon that can help drill down even further. 'appid' can help troubleshoot why a certain
app may not be getting identified in a flow and 'ctd' can help troubleshoot vulnerability signatures, and so on:
For now, we'll start with the 'flow' feature, which relates to all the base-level operations like inspecting TCP handshake,
building sessions on the firewall, and performing NAT. In each feature, you can enable yet more subsections for even
greater detail, but we'll stick to the basic setting for now.
ager ager
all all
arp arp
basic basic
ha ha
log log
nd nd
np np
receive receive
track track
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Logging
Enabled: no
Log-throttle: no
Sync-log-by-ticks: yes
Features:
flow : basic
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: no
Snaplen: 0
--------------------------------------------------------------------------------
When you're ready to initiate traffic make sure any existing sessions have been terminated, then disable session offloading
to ensure all packets are captured even if the session would normally be offloaded into hardware and finally go ahead and
enable the logging feature.
No Active Sessions
If there are still active sessions you can clear them by using the clear session command:
> clear session all filter source 192.168.0.34 destination 198.51.100.97
You can now go ahead and start the session you want to capture, wait for it to gracefully end, then disable logging:
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
51187 web-browsing ACTIVE FLOW NS 192.168.0.34[64969]/trust/6
(198.51.100.230[42882])
Session 51187
c2s flow:
dst: 198.51.100.97
proto: 6
s2c flow:
dst: 198.51.100.230
proto: 6
timeout : 15 sec
application : web-browsing
rule : web-out
nat-rule : outbound-nat(vsys1)
end-reason : tcp-rst-from-client
No Active Sessions
Each dataplane CPU will generate its own flow log, so depending on the amount of traffic, the type and amount of sessions,
there may be several files located on the dataplane. Each CPU that participated in the capture will have a pan_task_X.log
entry:
sysdagent.log
A nifty little tool is provided to aggregate these files into a single file:
packet-diag.log is aggregated
The final output file is then stored on the management plane as pan_packet_diag.log:
> less mp-log pan_packet_diag.log for vm and platforms with integrated dataplane
Let's take a look at the stages a packet goes through as it is seen in flow basic:
The packet is received on the ingress interface and checked to see if it matches an existing session. If not, it is sent to
'slowpath' for session creation.
Next, slowpath receives the packet. In slowpath, the packet is checked for source and destination zone based on routes or
PBF entries. The packet's also checked to see if security rules exist that allow this session, based on the 5 tuples (source
zone, source IP subnet, destination zone, destination IP subnet, destination port), and if NAT needs to be applied. If
everything checks out, a session is created.
TCP option:
The packet is forwarded to fastpath, NAT translation is applied, and the translated packet is sent out of the egress interface
to the next hop.
== 2016-02-10 14:53:09.978 -0800 ==
TCP option:
L3 mode, virtual-router 1
The returning SYN/ACK packet is received at the ingress stage and matched to the existing session, it is then forwarded to
the fastpath stage. Reverse NAT is applied and the packet is sent out of the internal interface back to the client:
TCP option:
TCP option:
L3 mode, virtual-router 1
The final ACK to complete the handshake is received, which triggers the session to be registered and the flow to be created
in the fastpath stage. No further route or NAT lookups will need to be performed by the firewall.
== 2016-02-10 14:53:09.979 -0800 ==
TCP option:
TCP option:
L3 mode, virtual-router 1
TCP option:
TCP option:
L3 mode, virtual-router 1
TCP option:
TCP option:
You can now use flow basic to follow the packets through the Palo Alto Networks firewall, to better understand all the stages
a packet goes through. Also take a look at this article that explains all this in greater detail: Packet Flow Sequence in
PANOS
When you feel comfortable, feel free to add additional features like 'appid' for more detail, but do keep an eye on the
dataplane resource-monitor to make sure the dataplane is not getting taxed.
I hope you found this article interesting. If you haven't already done so, please check out the other articles in the Getting
Started series.
Regards,
Tom