Palo Alto Firewall - Packet Capture [2024]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this short video I'm gonna show you how to use the packet capture feature of the Palo Alto file in order to analyze the traffic going through the device so now let's take a look how the packet capture works at the firewall I'm gonna show you the interfaces from the 501st so you can understand my topology quickly I have this ethernet one two which is my inside interface and in this Zone I have a Linux server with the IP address 1001 11 and it's going through the file so we can reach the internet so we're gonna make a couple tests I'm gonna make a test with a TCP protocol which is https then UDP protocol which is DNS and with ping so we're gonna capture these three traffic types and you're gonna analyze it using Wireshark so the first thing we need to do is to come to monitor and under monitor you have packet capture so the packet capture looks like this on top you have the configure filtering under manage filter you configure your filter so it means you're going to enter which networks or which IP addresses you want to filter for your packet capturing you have under the configure capturing so you can configure which kind of traffic you want to capture I'm going to show you an example if you click on add the file has four what it's called stages so he has drop file receive and transmit the drop stage is where the firewall puts all the dropped packets the file stage is where the file puts all the packets that go through the file the receive is what the file receives and the transmit is what the file transmits you have to enter a file name packet count and byte if you want but I already configured all the four stages which is probably what you're going to be doing whenever you use the packet capture another settings you can clear all the settings that you did above and on the right side the captured files it's empty now but whenever we capture some traffic you're gonna see some files here being created for example if the file doesn't drop any packets you won't be seeing any drop Dot pcap on the right side because the file is not going to be creating any packets for drop if it's not dropping any packets let's go configure our filtering now if you click on manage filters you're going to see that already configured something this is the IP address for my Linux client and this on the right side is the IP address from netsums.com and here is from Google I'm gonna generate traffic like I said in three using three different protocols one I'm gonna send the pink to netsums.com so it's gonna match this first one I'm gonna send the wget from my Linux client just download the mains page from the website from netsums.com so it's going to match also my first filter and then I'm gonna send the DNS request to the Google DNS 8888 so it's gonna match the second filter the packet capture is stateful it means that you don't need to configure the IP addresses from the response if you see that some packages are missing or you cannot see the whole traffic from beginning to the end maybe you need to play around here but in my case we're gonna just use this configuration that should be enough my recommendation for you would be to start like this and if you see okay after you analyzing in Wireshark it's there are some packets missing for example you can play around with this capture filter I'm just gonna press ok but one thing to remember is that this is stateful so in order to turn on the filter you have to click here on this off it goes on like this but I'm going to leave on purpose on off so I can show you something if you come here and you try to turn on the packet capture without turning on the filter you're going to see a message packet captures for troubleshooting only this feature can cause the system performance to degrade it consumes a lot of CPU from the file the packet capture depending on your filter that's why here the firewall shows in bold the packet capture without a filter will cause all traffic to be captured this can cause the system performance to degrade drastically do you want to continue usually you would press cancel unless you're in your lab environment I'm gonna press cancel because I want to use my filter I'm going to turn it on and then I'm gonna turn my packet capture you also receive a warning but at least the the Bold stuff is not there anymore so in this case I'm going to press ok one more thing guys don't forget to turn off your packet capture if you're doing this in production after you're done capturing the packets this is very important if I refresh here I shouldn't see anything on the right side and now I'm gonna go to my Linux so now I'm at my Linux machine and here I'm gonna enter three commands first of all is going to be ping netsums.com there are two things the other one is going to be dig 8888 and I'm gonna ask for netsums.com it's gonna come back with the IP address from netstamps.com and the third one is going to be wget https so as downloaded the index HTML from netsum.com now let's go back to the file so now at the file if I refresh my page you can see here on the right side three files you can see that the drop Dot pcap has not been created I'm going to open this on Wireshark this is what my file looks like you can see here on top the two pings that I sent before this is the IP address for my Linux client and this is the IP address from netsums.com and here's the answer second ping the DNS query to 8888 and here's the answer and here is the query using https this is the port 443 to netsums.com of course this part you see a lot more packets because it's an HTTP request and of course you have a lot more traffic being generated so as you can see the rx.pcap has all the information that you need but there's an unless unless you're using net for this communication at your file if you're using net it's a little bit more complicated but I'm gonna show you how you can do so now I'm going to activate net on my firewall and then we can try the same again so now I'm back at my file and if we go to policies I already did net you can see that there's a net Groove configured now it's in yellow because I configure my file using Panorama so but you don't need to worry about it panoram is the management applies from Palo Alto but the important thing is to take a look here the source address is going to be 10011 this is my Linux client if there is a match to the destination address which is 888 or netsums.com the file is gonna make a source net it means that it's going to take this address here and substitute with this one here that we can see whenever it goes to the Internet so this is active now so now we need to activate our packet capture again so monitor packet capture is already there and we're going to delete these files delete I'm going to start fresh now since we're doing that I would suggest you to do something else on policies on the net configuration I can see I'm gonna copy this net IP address if I can yeah I can here and then now under monitor packet capture I want to manage my filter and I want to insert a new filter and I'm going to say the source I want the source also to be from my net IP address you can repeat the destination if you want I'm just going to leave like this and then I'm gonna might be exclude press ok so now after managing my filter I need to turn on the packet capture press ok and I need to go to my Linux client to generate the traffic I'm at my Linux client I'm gonna send ping to netsums.com two pings dig and wget okay now I'm gonna go back to my firewall I'm gonna refresh the page and I have again the FW r x and TX but I'm gonna do something different now I'm going to download my Rx and also my TX now I'm going to open my Rx on Wireshark so this is my rxp cap and here I have the IP address from my Linux client and the IP address from netsums.com fine and I have the IP address from netsums.com but the translated IP address and here starts the second thing again so there are some information missing and for that you can come to file merge and find your TX pcap and if you merge both of them you have now your original Ip your target your translated IP and your target and then for as an answer you have the your target your translation translated IP and then your Target and then your original Ip so this is one session these four with all the information that you need and you have also the other four is the second ping and here you have also for my for the DNS query the same thing and it keeps going and here starting from this line you have my w get so this is how I would suggest you to do you open your receive file converge and merge with your transmit file and add the file you enter also at the source the IP address from your net so guys thank you very much for watching the video Until the End I was planning on making a little bit shorter video in the end it's above 10 minutes but it's okay I hope you got some value from the video you can hit the like button if you liked the video you can also subscribe to the channel if you want and I'll see you in the next one take care

Info

Channel: NETSums

Views: 2,551

Rating: undefined out of 5

Keywords:

Id: AqGBm_LEcss

Channel Id: undefined

Length: 10min 47sec (647 seconds)

Published: Wed Sep 06 2023