top of page
Search

How to Capture Traffic (PCAP) Hitting a Specific Rule in Palo Alto Networks

Feb 222 min read

Introduction

Capturing packets (PCAP) for specific security rules is essential for troubleshooting and monitoring network traffic in Palo Alto Networks firewalls. This guide will walk you through the steps to enable packet capture for a specific rule using the CLI and WebGUI.

Enabling Packet Capture for a Specific Rule

To capture traffic hitting a specific rule, follow these steps:

1. Enable Packet Capture via CLI

Log in to the CLI of the Palo Alto firewall and run the following command:

> set application dump on rule <rule_name>

For example, if the rule name is allow_all, execute:

> set application dump on rule allow_all

2. Verify the Application Settings

Once enabled, verify the settings by checking the application dump status:

Application cache            : yes
Supernode                    : yes
Heuristics                   : yes
Cache Threshold              : 16
Bypass when exceeds queue limit: yes
Unknown capture              : on
Max. unknown sessions        : 5000
Current unknown sessions     : 0
Application capture          : on
Max. application sessions    : 5000
Current application sessions : 0

3. Disable Automatic Capture of Unknown Traffic (Optional)

By default, the firewall captures traffic classified as "unknown" or "insufficient data." To disable this automatic capture temporarily (until the next reboot), run:

> set application dump-unknown no

To make this setting persistent across reboots, enter configuration mode and use the following commands:

> configure
# set deviceconfig setting application dump-unknown off
# commit

4. Download the Captured Traffic (PCAP) via WebGUI

After enabling packet capture, go to the WebGUI to retrieve the captured packets:

  1. Navigate to Monitor > Logs > Traffic.

  2. Find the relevant log entry.

  3. Click the green arrow next to the traffic log to download the PCAP file.

5. Disabling the Application Dump After Capturing PCAPs

Once you have retrieved the necessary PCAPs, disable the application dump using the following command:

> set application dump off

Conclusion

Capturing PCAPs for specific rules in Palo Alto firewalls is a valuable troubleshooting and analysis tool. By using the CLI and WebGUI, you can effectively capture, analyze, and resolve network issues while ensuring proper firewall performance.

Tags:

 
 
 

TAgs

Categorys

bottom of page