For the sake of simplicity, I’m only using IP addresses in the filters, not ports. The screenshots are from Wireshark version 3.6.5. Furthermore, I definitely want to use a filter to limit the amount of captured packets. Wireshark should be able to correlate the incoming/outgoing packets into a single TCP stream. (Yes, I’m aware of all disadvantages of not using a real TAP and a real capture device.) In the end, I want a single pcap which shows all relevant packets for a client-server connection, even if NAT is in place. I’m simply using the Palo as a capturing device here, similar to a SPAN port on a switch. I am using the packet capture feature very often for scenarios in which the IP connections are in fact working (hence no problems at the tx/rx level nor on the security policy/profile) but where I want to verify certain details of the connection itself. While you might be familiar with the four stages that the Palo can capture (firewall, drop, transmit, receive), it’s sometimes hard to set the correct filter – especially when it comes to NAT scenarios. It enables you to capture packets as they traverse the firewall. Palo Alto firewalls have a nice packet capture feature.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |