PaloAlto Networks Lecture 47: Packet Capture in Palo Alto Firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

capture what is picket caption means capture the packet like in wireshark wireshark is using pk so it will capture the packet you can open them in a wireshark watch okay is an analyzer tool you can use it to see many things about the traffic and detail about anything okay analyzer tool we can use them for many purposes so packet capture suppose if you want to do troubleshooting you have many other way to do troubleshooting but this is the end maybe there is no other way to test it so the end solution is to use a packet capture why we are not using packet caption most of the time because it's a cpu intensive it require more cpu it will degrade the firewall performance it requires cpu ram to generate the packet caption and give you the output so that's why we are not using them in real life just like in router and switches we are using debug command which we are not recommending to use them all the time but when we have no other solution so the end point is we have to use debug command the same we are using packet capture but anyway it's there to use it if you need it and normally we can use it because sometimes we cannot analyze we cannot troubleshoot the things so we are using packet capture okay the packet capture is from client to server and server to client it can be both from end to end so you can check the uh packet capture so we are using to do a troubleshooting purpose okay but before go there there are many button you will see the first one is to manage filter manage filter means if you want to customize your capture by default what you can do if you are not using manage filter let me go there is better to show you from here let me go to monitor let me clear this one you don't need there is a packet capture this one is packet capture this one manage filter manage filter means if you leave it like this one it will capture every single traffic because you didn't mention that i need a specific source specific destination specific protocol either specific destination and source okay so that's why this managed filter means which thing you want to capture tell me exactly the things okay so you can use manage filter after that this one to enable the filter okay this filter you say yes i want to enable the filter this one we are not using this this is for the hardware issue related when you have hardware issues so normally the uh what is called the customer service okay we need the support team if they need the palo alto team they are they normally can do it but in real life we are not allowed to use this one we don't need it okay this is for the hardware troubleshooting purpose and the hardware troubleshooting is not our job okay so this is filter then there is configure capture if you want to enable capture okay it show you that is degrade but anyway we know this one so manage filter if you want to customize it you want to enable the filter and you want to enable the capture then after their stages if you click okay so it's asking four stages drop firewall receive and transmit what is these stages so let's discuss here okay the first one is drop drop simply means when the traffic is being dropped by firewall policy either by firewall so this stage is called a draw the other one is received receive and transmit i will clear you let me tell you about the firewall firewall means when any traffic has been inspected by your security policy we create a security policy here so if the security rule is dropping is stopping something so this is called a firewall policy and drop means maybe is just simply drop maybe there are many reason it can be but this one is related to your policy security policy this one maybe it is blocked by this security policy so it will so this stage is called firewall and drop is simply dropped by many reasons now coming to receive and transmit so this is a my firewall i configure a source net on this this is my internal ip 140.100 if i go to network 140 100 is my inside ips written here inside ip 122.100 is my outside ip this one interface one slash one is outside and one slash two is inside here is an xp which i open is my server 140.60 140.60 this one is my inside system and there is another xp 122 150 which is outside xp this one which i just opened in this one 122.60 by the way i change the but anyway suppose this is a remote pc either a google.com yahoo.com facebook.com and this is my internal server for some reason i cannot reach here but i want to troubleshoot so i want to earn the capture but in capture it say give us four stages so the one was receive stage receive stage means the packet which is going from internal to the firewall till this ip this is scalar receive stage and the packet which is coming from google to our firewall is also a receive stage so receive stage means here which they were asking about and monitor and packet capture and they were asking four stages so receive stage means the packet which is going from my inside xp to hitting the firewall is called a receive stage and the packet which is coming from google to my firewall is also a receive stage so received any packet which is coming hitting the firewall is called a receive stage because firewall is receiving the packet in both cases from inside and from outside to coming inside so it's color received stage it's clear receive stage now transmit stretch the packet which is going from this interface to inside either from this outside interface to go outside is color transmit stage so the packet which is going from e161 which is my outside interface 122 100 to 150 google.com ip is caller transmit stage because the firewall is sending the traffic when it's receiving a scalar issue state it is sending its color transmit stage and the same case is far inside as well so drop in firewall is clear to you but these two are a bit confusion so receive and transmit so these are the four stages which is they are asking so now we know to manage filter enable this is related to uh support hardware related issue to enable the packet caption add the four stages which we will add by name drop firewall receive and transmit file name if you want to give any name okay it count if you say no stop the picket capture win packet count reach to these limit maybe you say suppose five when the packet has been counted to reach to five the packet capture will be stopped either you say no will reach the buyer suppose 600 bytes 6 000 bytes when the packet capture reached to 6 000 packet bytes just stop the packet capture automatically so you by either way you can give them packet count either byte count okay so stage is clear after that there is a clear all stages clearest suppose you enable this one you enable everything and the later on you say i want to clear everything just click on this one at the end everything will go to default look it it's disabled this disable stage will clear everything will be go to normal beside this keep in mind we don't need to commit anything for packet capture packet capture it doesn't require anything to commit just enable them it doesn't require locate commit button is still grayed out no pending if i add something again it will do nothing so packet capture not require any comment button okay this is the only thing which doesn't require any comment so it's clear now here is capture file when the packet has been captured it will come automatically here in here and then you can download them so let's get started let me disable everything it was leica so first thing first my this is my topology my inside ipa is 140.60 and i have a troubleshooting issue with the google.com so what i need to do i need to add my packet capture properly this is a sequence number one i don't want to capture everything if you want you can capture just leave it like this one but i need properly ingress interface so what is my ingress interface this one this is the ingress interface here so i choose one slash two source ip my source ips this one 140.60 so let me write down 192 168 140.60 which is my inside xpip this one 140.60 destination where is my issue to write down my destination is the outside xp which is 122.60 but but in the file i give them 150 so you just say that this is a 60 so let me go big and i say the destination is 192 168 122.60 source port because we don't know any source port if you want any specific port like a 80 port either 443 you can type it so source port and normally random we don't know if you know you can put them but destination for normally we put them like a port we have six five three five something port you know may you may know these are many port i don't know uh these are the port number list ayanna okay not this one because there are many things to relate to port so let me say port number [Music] hmm because we call port number many thing so that's why they are coming many many things so let me go yes it's okay this time uh yeah i and i need to go to ayana website so yeah this one at 10 23 we have register port and onward we have unregistered port either we call them random ports and everything there is like 80 port 443 dns tcp udp dns or telnet ssh all these are called the port number but beside port number i need to show you protocol number as well because there is a protocol number as well proto call number which is up to 255 okay so let me go to protocol number as well because it will come another one so here is the port number start from zero okay and look at so ftp is using 21 ssh 22 1023 and up to 1023 is register port which is assigned to every uh application which is we call them a register put a noun port okay 10 23 let me go to n to 1023 i know you know this one this is a ccna level stuff but at least from my surface to be clear to you because i will write there so okay i think i crossed 10 23 okay let me go what the hell okay it should be written by let me go from some other place which show properly i just need to show you the register port and it's also too from there anyway you know this one so we have register port and also there is a protocol number protocol is different it's zero from zero to two five five these are protocol number this one two five five two five five zero and zero is i think so reserve one is for icmp this one one is for icmp uh ip4 is protocol number four okay and there is a tcp is 16 i believe what is yeah where is now 16 no 17 is udp okay and so other thing 21 is something else okay so protocol number okay so these are protocol number my main concern is this one icmp is one okay and these are the port number which i told you so now it is asking protocol number so i say once one means icmp destination port because smp is a different protocol non-ips because this icmp is a different one so i say excluded ip i don't need ipv6 so this was my first second because i need a specific as i told you you can capture anything but in my case i need a specific ping so ping is coming under icmp internet control message protocol which is number one okay now the second thing is i need to add another one so i say two this time my interface is one slash one in my source ip is this ip the destination ip 122.60 and my destination is 192 168 122.100 let me explain them let me put one here first exclude this one and exclude this one i don't need ipv6 so basically i say my source is my internal xp destination is external xp my source packet will come from external this ip it become a source and destination is my firewall this one so basically i done the one packet from here to here to test them the other from here to here because i don't know i cannot hit this ip directly definitely there is a source net so i will head this public ip to properly investigate the packet so i done from here to here and the other is around to here to here so that's why i say this is 60 by the way so don't confuse in this one so i say 62 120 200 and the other is from 60 to this one so i make them specifically but i told you it's up to you you can delete you can add and you can this is my filter it's ready i paste exception it doesn't match interest family no i don't need ipv6 okay sorry i don't need to enable this one i don't need it okay so this is my manage filter it's ready now i say i want to enable my filter it's ready now i need to capture so enable the capture and yes which i told you it should be just a warning these are the stages so the first stage i say show me the drop packet and i give them dp you can give them any name it's like i don't need packet account the second one is firewall let me give them fw name it's up to you whatever name you want to give them the third one which i mentioned you receive receive receive okay rv and the other is transmit ts okay that's ready now nothing is required to commit okay when i send the traffic which had this rule manage filter it will apply these four stages and will show me here how let's see now so let me send the traffic from here ping one if i seen any other traffic it will not hit because i say only icmp 122.60 four packet i sent to destination which was there so it hits the road but it's not showing because you need to refresh so it means it doesn't hurt them let me see my uh 142 122.60 and 122.62 122 100. yeah is correct okay so i don't need this one by the way anyway but is still to ahead this rule okay so let me try again okay let me send again maybe 122.60 and let me refresh it means that we are not hitting this rule by somehow which is so let me see my external ip is this one or not okay sorry i was sending from my external ipis to send from internal ip because to both our xp system so i was confused okay so let me send from here i was sending traffic to myself that's why because i am 122.60 and my system is up to 120 60. actually my xp is inside is this one so that's why 122 122.60 and enter sorry ping i forgot pick it internet grouper okay now it will hit the rule so i send four packet let's see it's come up now but only three coming because there is no drop yes the drop will come if i stop this rule there is a allowed rule i told you drop is related to this one so if i said deny okay commit okay after apply this let's go to see the traffic so it say that yes firewall is okay receive and transmit so let me see this topic is download and open in wireshark so this is related the packet which i sent from inside look at from inside to outside it's a eco reply ping command no response found everything is okay there is no such issue if you want to combine you can download receive as well and you can merge as well click on merge and add with the receive one it's merged now is more packet and you can see if there is any issue you can investigate the issue but there is no such issue because we know now it will be an issue let me delete this one sorry there is a delete button now there will be drop as well because now i drop the packet means by the policy stopping it so let me send the traffic from inside to the icmp which is not going and now if refresh there will be drop look at drop and receive you will say why receive because i told you receive means from here to here so the packet came from here to here not from here to here so that's why i get one receive packet from this ip to this end and they drop one so that's why i don't have transmit as well so if i check the drop one so there will be draw because the policy is dropping them okay so this is the showing from 140 to 120 to 60 the packet is drop and it's yellow it will show you many small because there is no such way but it will show you that why it's been dropped you can find out many things from the packet but this is the way to uh do packet capture okay now i will clear this one here from delete this category and these things you have to simply rule from here click all setting and it will remove everything and everything will become the default one now if you look nothing is there nothing is so this is the simply rule now i can do this one from the command as well so let me go to command sorry uh secure crt let me show you quickly from the cli as well this is my firewall to access through ssh come on what is the ips 122 168 yeah yeah okay so admin is come up quickly yeah okay so now let me open this one nothing is the area everything is the default one let's start from here you can do the same job from command as well so let me clear the first thing is debug command is debug data plane okay and pick it make it diagnose something make it diagnose here here is pick it diagnose and then send command and these are the capture capture filter log and tag okay so the first thing is manage filter so i will say filter the second one filter now say what you want to do with filter i say i want to enable the filter first this one okay so i say on let me on it if i refresh here look it is unenabled automatically because i on from here okay the first job is done now i need to manage filter so let me go to that command and filter in question mark there is a match is a new debug filter so i say match you know i put the source and destination okay so i will say source what is the source ip question mark 192 168 140.60 internal xpip okay question mark it's a destination what is the destination so destination is 192. it's not showing properly let me do it 192 168 122.60 and i can add protocol port which i done but i don't want to go in detail so i just enter i just need to show you if i come here and see there will be automatically locate 140 160 and excluded and done i didn't mention many things but you can put the mention because it's not showing it become the lengthy one the uh command so it will not show so that's why i just need to show you now i need to enable packet capture so put data plane and come up to this point set question mark there is another one capture the first one and after capture gear is on and enter now i enable packet capture but it's not showing just refresh it look it is enabled from here the thing we done from there it's enabled from here now the stages we give them four stages you remember so the same stages you can give them to come here and question mark there is stages you know there is a stage command just type stage question mark and there is those four packets drop firewall receive and transmit you remember these one we give them our own name yeah so we will do here as well so let me choose the first one so let me screen bigger drop so drop it say give them any name so file let me give them dp we give them dp okay and p cap is the extension for this one one the second one is the drop so this one become drop firewall firewall let me give them fw two the third one is stage uh receive receive file rv dot pk and the other versus transmit transmit file name tx dot pk so these are the four stages if i go here it will be automatically added refresh it it will come here look it is com are weaved if we tx we give them these name from the command prompt okay now what i need to do debug data plane data plan it was packet a diagnostic set and capture need to enable capture on okay so capture is enabled now i need to send the traffic from inside again because the policy is blocking them anyway we will see something how to see view pk okay and follow yes filter something filter i don't know yeah so there are only two because it's dropping so how we can see rv.pk we will see the traffic now here it will show after a while if there isn't anything either is better to allow the policy that we can see them they pick at the ping command so let me allow this policy i was showing this just drop packet so that's why i disable it it has to show me there is nothing and receive one so there is a saying yeah anyway in this one yes come up now okay stay time just showing me the packet 140 to 160 because i say show me now so you can see the dp as well and you can receive the other two is not there because of a policy was blocked okay so this one by this way you can see the firewall one the dp1 whatever and the last thing if you want to uh debug if you want to set filter off last one let me off them the thing which i enable one by one now you can disable them from the command as well so i make of this one i need to off this packet capture as well okay so let me go to and just filter capture off so capture is disabled if i check here is enable yeah just refresh yeah it's off now and the same way if i say what else clear need to clear everything so diagnosed clear is here i believe we are clear all clear all is like this one the one we use this one clear are sitting so if i refresh look at everything is gone but you have to delete separately this one this is not under this one this button will not clear these things okay so you have to do it this manually there is a command as well as well by the way so that's it that was the packet capture it you need them you can use a command base and you can move me you can use graphical no need to press comment button there are four stages drop for wall receive and transmit and you can manage your filter to enable the filter and specific traffic you can filter and you can capture that packet if you don't know about the protocol in those things you can enable for every packet as well

Info

Channel: WE-Learns

Views: 175

Rating: undefined out of 5

Keywords: PaloAlto, Network Firewalls, Networks, Microsoft Office 365, M365, O365

Id: 01xuSn9RY0g

Channel Id: undefined

Length: 32min 24sec (1944 seconds)

Published: Wed Feb 10 2021