Packet Capture on PAN-OS

When you need to troubleshoot issues on the firewall, you will end with a packet capture if you did not solve it earlier with other checks.

To perform the packet capture on PAN-OS :

- define the filter

To define the traffic you want to capture. The purpose of the filter is to focus the capture on the relevant packets, and to save resources on the firewall.

- define the capture stage

The firewall capture packets in different stages : receive -  transmit - firewall - drop

The WebUI access is enough to define those 2 steps for most cases.

You will need the CLI for the following cases :

- the firewall has the hardware offloading, the traffic will hit the dataplane CPU only at the session setup, then it will be offloaded. Doing a capture with the traffic offload enabled will give the impression of lost packets (packets are missing).

In this case, you will need to disable the offloading so all the packets captured

set session offload no

- you want to have a subnet as a filter

It is not possible to define a subnet in the WebUI.

You have access to the keyword source-netmask and destination-netmask keywords for the filter definition.

For instance, the command below set a filter to match TCP traffic from 1.1.1.0/24

debug dataplane packet-diag set filter match source 1.1.1.0 source-netmask 255.255.255.0 protocol 6

- you want to see in real time the packets captured.

To check the filter configured is matching some traffic.

view-pcap follow yes

- you wish to capture specific packets only.

For reference, you can find the different protocol code from the protocol list on the IANA website