Palo Alto Packet Capture

In: Firewall

Packet capture is very useful when you troubleshoot network connectivity issues or monitor suspicious activity.



Few things to consider

  1. Four packet capture filters can be added with a variety of attributes.
  2. Packet captures are session/flow based, so having a single filter is enough for capturing both inbound and outbound traffic.

Packet Capture Stages

There are four stages:

  1. drop - where packets get discarded. Example, security polciy denying the traffic
  2. firewall - captures packets in the firewall stage.
  3. receive - captures the packets as they ingress the firewall interface before they go into the firewall engine (pre-NAT)
  4. transmit - captures packets as they egress out of the firewall engine (post-NAT)

Example 1 - Packet Capture without NAT

Initiate a ping from CLIENT to the SERVER and capture both ICMP echo request and ICMP echo reply.

You can configure packet capture by going to Monitor > Packet Capture

  • Packets 1 & 2 are ingressing the firewall
  • Packets 3 & 4 are egressing the firewall
  • Packets 1 & 3 are the same
  • Packets 2 & 4 are the same

Step 1 - Configure capture filters

The filter shown below captures both echo request and echo reply on both receive and transmit stage. For this example, one stage (receive) is more than enough.

  • receive stage - packets 1 & 2 (shown on the example below)
  • transmit stage - packets 3 & 4
If you only configure filter Id-1 then the receive stage will capture packet #1 and the transmit stage will capture packet#4. You will then need to merge both capture files to have the full picture.


Step 2 - Configure receive stage


Step 3 - Initiate some traffic and download the capture file

CLIENT> ping icmp_seq=1 timeout
84 bytes from icmp_seq=2 ttl=63 time=4.393 ms
84 bytes from icmp_seq=3 ttl=63 time=1.809 ms
84 bytes from icmp_seq=4 ttl=63 time=1.618 ms
84 bytes from icmp_seq=5 ttl=63 time=1.184 ms

As you can see above, both echo request and echo reply are captured on the receive stage.

Example 2 - Packet Capture with NAT



I configured a SOURCE NAT policy which translates the source IP of the client to the Palo Alto interface public routable IP of when going out to the Internet.


Let's initiate SSH connection from the CLIENT to the SERVER. When the traffic leaves the Firewall (post-NAT), the source IP of the SSH traffic will be

  • The receive stage have the client private IP to the server public IP #1, and the return packet from the server public IP to the firewall external IP #3 (receive stage is pre-NAT)
  • The transmit stage have the firewall external IP (source NAT) to the server public IP #2, and the return packet from the server public IP to the client private IP #4.

Let's configure the firewall for packet capture.



You can use both receive and transmit stage capture files for troubleshooting or NAT verification. You can change and tweak the capture filters to suite your needs.


Getting Started: Packet Capture
The first place to go is the Packet Capture menu on the GUI, where you can manage filters, add capture stages, and easily download captures. Befo

Thanks for reading.

As always, your feedback and comments are more than welcome.

Written by
Suresh Vinasiththamby
I'm very excited to start blogging and share with you insights about my favourite Networking, Cloud and Automation topics. Simple guy with simple taste and lots of love for Networking and Automation.
More from Packetswitch
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Packetswitch.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.