PALO-ALTO - Traffic Base Filters
From Wiki.IT-Arts.net
Some base traffic filters to debug on Palo Alto...
Quick Example
((addr.src in 10.200.101.11) and (addr.dst in 10.200.197.201)) or ((addr.src in 10.200.197.201) and (addr.dst in 10.200.101.11))
From Host a.a.a.a to Host b.b.b.b
Shows all traffic coming from a host with an IP address of 1.1.1.1 and going to a host destination address of 2.2.2.2 :
(addr.src in a.a.a.a) and (addr.dst in b.b.b.b)
To Host Range
Note that you cannot specify an actual range but can use CIDR notation to specify a network range of addresses :
(addr.src in a.a.a.a/CIDR)
From Zone PROTECT to Zone OUTSIDE
(zone.src eq zone_a) and (zone.dst eq zone_b)
From Port aa TO Port bb
(port.src eq aa) and (port.dst eq bb)
Date-Time Range
All Traffic Received Between The Date-Time Range Of yyyy/mm/dd hh:mm:ss and YYYY/MM/DD HH:MM:SS
(receive_time geq 'yyyy/mm/dd hh:mm:ss') and (receive_time leq 'YYYY/MM/DD HH:MM:SS')
On Interface
All Traffic Outbound On Interface ethernet1/x :
(interface.dst eq 'ethernet1/x')
Allowed/Denied Traffic Filter Examples
All Traffic That Has Been Allowed By The Firewall Rules :
(action eq allow) OR (action neq deny)
Additional Information
- A good practice when drilling down into the traffic log when the search starts off with little to no information, is to start from least specific and add filters to more specific.
- When troubleshooting, instead of directly filtering for a specific app, try filtering for all apps except the ones you know you don't need, for example '(app neq dns) and (app neq ssh)'
- You can also throw in protocols you don't need (proto neq udp) or IP ranges ( addr.src notin 192.168.0.0/24 )
- This practice helps you drill down to the traffic of interest without losing an overview by searching too narrowly from the start.
