How to take Packet Captures on a Palo Alto Networks Firewall

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey guys welcome to mb tech talker my name's matt in this video i'm going to show you how to take a packet capture on a palo alto network's firewall so that you can analyze network traffic to help troubleshoot network problems most of you will know network administrators and security engineers use packet captures to perform tasks like monitor network traffic and analyze traffic patterns identify and troubleshoot network problems automatically configure packet captures when a firewall detects a virus spyware or vulnerability help determine if an attack has been successful or just to learn more about methods used by attackers packet catches will intercept packets flowing from a client to a server or a server to a client depending on how you configure the capture filters these captures are then saved to a pcap file which can then be loaded into a tool like wireshark to form deeper analysis okay so i've logged into the firewall so what we're going to do is go to the monitor tab and then we're going to packet capture so this is the main area where you can manage the filters add the capture stages and also download the capture files before you do any packet captures on a live production network there's a few important facts you need to know so packet captures our session base so a single filter is capable of capturing both client to server and server to client packets can be captured on the interface or the data plane the pre-pass match feature will capture everything before being processed by the data planes engines this can be extremely useful where data plane engines may not be properly accepted in inbound packets but there is a warning with this using the pre-pass match feature could seriously impact the firewall's performance and could degrade the network as this will capture everything if you're unsure you can work with palo alto network's tag teams or at least if possible perform the packet capture when the network is the quietest and finally when you enable filtering any new sessions that have been marked for filtering will be captured however existing traffic sessions in place may need to be restarted to ensure that they're captured correctly i know there's a there's a lot to take in here but trust me after you have a few captures under your belt it will become second nature right let's get stuck in so we'll start with the configure filtering area this is where we can define custom filters to specifically match the packets we want to capture the more granular you are with the filters the easier it will be to find the information in the pcap and it will also reduce the load on the firewall itself okay so let's click on manage filters and as you can see there are several fields that can be populated to narrow down the scope of the packet capture most of them are pretty self-explanatory but let's go through them one by one so ideally this is mandatory and needs to be one two three or four with no duplication the ingress interfaces can be set to capture packets on a particular interface source this is the source ip of the packets being captured destination again the destiny destination ip of the packets source port destination port and then protocol this is for ip protocols most commonly one for icmp six for tcp 17 for udp you can check out all the assigned internet protocol numbers on the iana website i'll leave a link in description then we've got non-ip this can be set to exclude so that only ip protocol packets will be captured or include to capture both ip and non-ip protocols or only to specifically filter on non-ip protocols an example of a non-ip protocol our protocols are ipx apple talk or netbui and then finally ipv6 this would need to be checked if you want to catch ipv6 packets okay so let's go through the lab scenario i want to check my windows 10 client on ip address 10.3.3.10 is making a tcp port 80 connection to a windows server 2016 running a ios web server on ip address 10.4.4.100 and i also want to see ssh connections on port 22 to a router on 192 168 21 254 so the first thing we need to do is configure the filters so click on manage filters and then we're going to click add and we're going to use id 1. so the source is going to be the windows 10 client so that's 10.3.3.10 destination is going to be the windows server which is 10.4.4.100 [Music] destination port is going to be port 80 because that's web browsing protocol is going to be six because it's tcp non-ip so we're going to exclude non-ip and we're not going to tick ipv6 this time i'm going to add another another uh id but this time it's gonna be id3 i'll come back to why this is out of sync at the moment but just stick with me so this time it's gonna be the client again which is 10.3.3.10. and the destination is going to be the router which is 192.168.21.254 destination port is going to be ssh port which is port 22. again this is tcp and then exclude and again no ipv6 so with just these two filters defined this should give me everything we need everything we need so like i said before packet captures our session aware but let's say something causes the return traffic to messer maybe the source ports get changed or a secret number is out of whack we can mitigate this by having some sort of backup filters to mop up any struggling packets so let me show you what i mean so what we're going to do now is going to create two more filters so this time we're going to we're going to click add and we're going to do id2 we're going to do this in reverse so i'm going to use the source as 10.4.4.100 and i'm going to have the destination as anything i'm going to specify the source port this time as port 80 and then the protocol is going to be 6 and then exclude i'm going to add another one and this is going to be id 4 and this is for the the ssh connection so this time it's going to be the source address of 19216 uh source port is going to be 22. protocol is going to be six and again we're going to exclude and we're not going to tick ipv6 so i'm going to click ok on that and then when i go back into the filters now we can see if we sort this we have now got them all in order so we've got a we've got four filters and we've got the traffic in both directions so this should aid us if we had something you know some of the return traffic doesn't quite work out the way expected at least we've got a filter in place that is going to capture that traffic originating or return traffic coming from the effectively the server so we can click ok on that so always try and create filters as specific as possible never run filters matching entire subnets as this may cause performance issues or even worse as service outage so now we can turn the filtering toggle on the filters will be applied to any new sessions from this point onwards okay so i've sshed into the firewall so let's check see if the filters are working by checking that the global counters are incremented when we generate traffic that match the filters so we need to issue the show counter global filter delta yes packet filter yes hit return as you can see we've got um counters so we've got um traffic that is matching the filters and if i issue that again now the counter has gone to zero so the delta yes command indicates i want to view counters that have incremented since the last time i execute executed this command the packet filter yes indicates i want to see only the global candidates that match my filters so if i open at a browser and now go to the actual server so we want to go to the ws lab ad edl this is where i've got some files hosted on the iis server and if i was to issue that command again you can see that by going to that web page is generated traffic which has then incremented the um incremented the counters and and this is matching the filter okay so the next step is to configure the four stages so let's click on the add button at the bottom here so for each stage we will assign an output file so the first stage is going to be the drop stage so this is where packets get discarded the global counters may help identify if the drop was due to a policy deny a detected threat or something else so we're just going to call this drop dot pcap and then click ok and then we're going to do the receive stage and we're going to name the rx.pcap so the receive stage captures the packets as they ingress the file before they go into the files engine when that is configured these packets will be pre-dot click ok and then add the transmit stage so tx dot pcap so this this captures packets as they egress out of the firewall engine so if nat is configured these will be post nat and then finally we've got the firewall stage i'll just name that fw.p cap so this just captures packets in the firewall stage so now we have all the stages defined we can now get ready to turn on the capture button but before let's go back to the cli and clear the existing sessions which match our filters okay so i'm back on the file cli let's issue the show session all so this is going to give us all the active flows on the firewall with the corresponding session id if i wanted to clear a particular session i would issue the clear session id and then you would find the id of the session you want to clear and then you would just type it in here and there press enter and then that session would be removed then you would need to re-establish the connection but because i'm in the lab environment i'm going to clear all web browsing sessions so i'm going to cl clear session all then i'm going to filter on application web browsing and then you can see it says session sessions cleared then i'm going to enable the packet capture from the cli you can do this either in the web ui or the cli so i'm going to do debug data plane packet diag set capture on then you get a little message to say pack capture is enabled now what we can do is go to the browser and then generate some traffic so let's go back to rs and then we can go back again and generate that traffic and also we can open up a new ssh session so new session and then we're going to ssh to the router which is 192.168.21.254 so there's the login prompt you can close that and then if we do show session all [Music] we should be able to see there's a web browsing and ssh and you can see actually the ssh is from the 10.3.3.10 to the 192168 21.254 and then also we've got web browsing here which is again from the 10.3.3.10 client go into the 10.4.4.100 dc zone on port 80. so once you've captured all your traffic and you're happy that you've got everything you need you need to make sure that you turn the capture off so that's the debug data plane packet diag set capture off and you get a little message to say it's off or it's been disabled and then we need to clean up things by unmarking all the sessions in the packet debug so if we just do the up arrow and go back to the packet diag and then what we're going to do is we're going to clear the filter marked sessions or session all now we should be able to go back to the web ui and take a look at the captures okay so we're back on the firewall web ui so before you move on i just want to say please make sure that you turn off the packet capture as leaving it on could impact the cpu and cause performance problems to the network so just come into the web ui and just confirm that the it is toggled to the off position okay so here on the right you can see that we've got the capture files and all that we need to do now is download these capture files so that we can bring them into wireshark so i'm just going to click on the tx and the rx and then i'm going to go and open up wireshark and then bring those files in by going by clicking on file and clicking open and then go to your downloads and then finding the files so tx open and then file and then we're going to do merge and then we're going to click on rx and then open and there we have it we have now got the captured files in wireshark and they can be analyzed until your heart's content i'm not going to go into all of the wireshark capabilities but basically i'll leave this up to you you can start looking through the wireshark catches doing any troubleshooting you require analyzing anything you need there's plenty of videos on youtube about wireshark so that's been a successful lab i hope you've enjoyed it okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto firewall features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas or video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks
Info
Channel: MB Tech Talker
Views: 670
Rating: undefined out of 5
Keywords: packet capture analysis using wireshark, palo alto networks, palo alto, packet capture, palo alto networks firewall
Id: Fj_GaWB3y1I
Channel Id: undefined
Length: 17min 50sec (1070 seconds)
Published: Sat Jun 19 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.