When troubleshooting traffic flows through the Palo Alto NGFW, it can be difficult to see what’s happening. Using the logs from the GUI can help.
An alternative is, to use the command line “show session all filter destination [IP]“. This shows you a filtered view of stateful sessions going through the firewall. It provides information like state, source/destination, translated IP/Port. An example is shown below. (Use the context sensitive help if you need more options)
admin@PA-FW> show session all filter destination 74.200.26.232 -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 37167 web-browsing ACTIVE FLOW *NS 192.168.20.115[55927]/trust/6 (1.1.1.1[40416]) vsys1 74.200.26.232[443]/untrust (74.200.26.232[443])
Once you have the session ID (in the case above the session ID is 37167), use the command “show session id 37167” to drill down further into the information within that session.
admin@PA-FW> show session id 37167
Session 37167
c2s flow:
source: 192.168.20.115 [trust]
dst: 74.200.26.232
proto: 6
sport: 55927 dport: 443
state: ACTIVE type: FLOW
src user: test\robert
dst user: unknown
qos node: ethernet1/1, qos member Qid 0
match src interface: any
match src address: ('any ',)
s2c flow:
source: 74.200.26.232 [untrust]
dst: 1.1.1.1
proto: 6
sport: 443 dport: 40416
state: ACTIVE type: FLOW
src user: unknown
dst user: test\robert
start time : Fri Jan 26 10:03:53 2018
timeout : 60 sec
time to live : 48 sec
total byte count(c2s) : 1924
total byte count(s2c) : 5115
layer7 packet count(c2s) : 14
layer7 packet count(s2c) : 10
vsys : vsys1
application : web-browsing
rule : Rule 2
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : NAT-Outside(vsys1)
layer7 processing : completed
URL filtering enabled : True
URL category : Rule 2
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage l7proc : proxy timer expired
As you can see above, the amount of information can be very helpful for troubleshooting. If you suspect a particular session is causing a problem, you can clear with the command “clear session ID 37167”
RH
all-things-networking 