PAN-OS - Debug Flow
Setting up a debug a data plane flow on a Palo Alto firewall requires a few steps.
Setup filters
debug dataplane packet-diag clear all
debug dataplane packet-diag clear log log
debug dataplane packet-diag clear filter-marked-session all
# What traffic do you want to debug? One way:
debug dataplane packet-diag set filter match source [source ip/mask] destination [destination ip/mask]
# Return traffic maybe too? Can be omitted.
debug dataplane packet-diag set filter match source [destination ip/mask] destination [source ip/mask]
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set filter on
debug dataplane packet-diag show setting
[optional] Setup packet capture
debug dataplane packet-diag set capture stage receive file rx.pcap
debug dataplane packet-diag set capture stage transmit file tx.pcap
debug dataplane packet-diag set capture stage firewall file fw.pcap
debug dataplane packet-diag set capture stage drop file drp.pcap
Preparations
show session all filter source [source ip/mask] show session all filter source [destination ip/mask] set session offload no debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on
[optional] Enable packet caputre
debug dataplane packet-diag set capture on
Let’s go
show counter global filter delta yes packet-filter yes
show clock
show counter global filter delta yes packet-filter yes
show session all filter source [source ip/mask]
show session all filter source [destination ip/mask]
show session id [fill out session id number]
Clean up when you’re done
debug dataplane packet-diag set log off
debug dataplane packet-diag set filter off
debug dataplane packet-diag set capture off
set session offload yes
[optional, but don’t forget!] Disable packet caputre
debug dataplane packet-diag set capture off
Gather a log bundle for analysis
debug dataplane packet-diag aggregate-logs
less dp-log pan_packet_diag.log
scp export log-file data-plane [remote-port <port> source-ip <firewall-source-ip>] to <username@host:path>