Scribd
Upload
42 views47 pages

EDU 311 80a MOD 03 Flow Logic

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views47 pages

EDU 311 80a MOD 03 Flow Logic

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

Flow Logic

EDU-311
PAN-OS® 8.0
Courseware Version A

1 | ©2017, Palo Alto Networks, Inc.


Agenda
§ Single-Pass Architecture (SPA)/Single-Pass Parallel Processing (SP3)

§ Flow logic

§ Troubleshooting tools

§ Packet capture

2 | ©2017, Palo Alto Networks, Inc.


Palo Alto Networks Single-Pass Architecture
Single pass
§ Operations per packet:
• Traffic classification with App-ID
• User/group mapping
• Content scanning – threats, URLs,
confidential data
§ One policy

Parallel processing
§ Function-specific parallel processing
hardware engines
§ Separate data/control planes

3 | ©2017, Palo Alto Networks, Inc.


Packet Flow Overview

Processor
Packet arrives

Network
Ingress

Processor
Security
Session Slowpath Fastpath

App-ID

Signature
Match
Inspection
Content Inspection

Processor
Network
Packet exits Egress

4 | ©2017, Palo Alto Networks, Inc.


Packet Flow in Detail
Ingress Error Check Source Int/Zone Lookup VPN Decrypt

FW Session Setup
Slowpath Fwd Int/Zone Lookup NAT User-ID Sec Policy Lookup*

FW Session Match
L2–4 FW Processing SSL Proxy Decrypt
Fastpath

App-ID App Override Policy Payload Inspect Sec Policy Lookup

Content-ID Apply Sec Profile

Forwarding/Egress SSL Re-encrypt QoS Shaping VPN Re-encrypt NAT Applied

5 | ©2017, Palo Alto Networks, Inc.


Session Matching
§ Unique flow ID – 6-tuple
• Src and Dst IP address
• Src and Dst TCP/UDP port
• Protocol number
• Ingress zone

§ Session = two unidirectional flows

§ The packet 6-tuple is compared to


the table of active flows. No Existing Session
Match?

Slowpath Yes

Fastpath

6 | ©2017, Palo Alto Networks, Inc.


Slowpath and Fastpath
Slowpath or Session Setup Fastpath
§ New session or application shifting § Traffic in established sessions
§ Forwarding lookup – § L2–4 FW processing:
find the egress interface/zone • Discard packet if session is not active
• Update session lifetime
§ NAT policy: second forwarding lookup
if the destination is to be translated • Do NAT if applicable

§ FW Security policy lookup (app=any)* § Decrypt SSL if acting as SSL proxy

§ If the packet is allowed by policies,


set up the session

* This is a port/protocol check.


7 | ©2017, Palo Alto Networks, Inc.
Ingress Receive Packet

Extract L2/L3/L4
Error check
Ingress interface/zone lookup

IPSec/SSL- Yes
Decryption
VPN?

No

No
Existing Session
Slowpath
Match?

Yes

Fastpath

8 | ©2017, Palo Alto Networks, Inc.


Slowpath Zone Protection Profile
TCP state check

Forwarding Lookup
Get egress interface/zone from
routing lookup

Yes NAT Policy Lookup


Secondary forwarding lookup to
Does destination
find the final egress interface zone
NAT apply, Y or N?
Allow
DoS Protection Policy
No
Deny/Reset
Discard User-ID and Session Setup
Packet Authentication Policy

Evaluate Security policy Fastpath


with application as any

9 | ©2017, Palo Alto Networks, Inc.


App-ID App-
Override
Yes

No
Pattern-Based Application ID
Content-ID

Deny Security
Discard
Policy with
Packet
App-ID
Allow

Apply Security Profiles

Set QoS

Yes
Traffic
Re-encrypt
Decrypted
No

Fwd/Egress

10 | ©2017, Palo Alto Networks, Inc.


App-ID and Content-ID
App-ID Content-ID
§ Is there a matched application § Content-ID Profiles are applied and
override rule? performed.

§ If not, recognize the application by § If tunneling is detected and the


signatures application has changed, Security
policy rules are re-evaluated.
§ Once the application is identified, the
Security policy is consulted

§ QoS setup

11 | ©2017, Palo Alto Networks, Inc.


Forward/Egress Packet Forwarding
route/switch/virtual wire

Egress to VPN Yes


Encrypt
Tunnel?
No

n
Apply Cleartext QoS Apply Tunnel QoS

Apply NAT
Yes
Discard
Check if src IP=dst IP
Packet
No

Transmit
Packet

12 | ©2017, Palo Alto Networks, Inc.


Fastpath
Layer 2–4 Firewall Processing
Apply NAT

SSL Forward Proxy/SSH Decrypt

Has App/Content Y
App-ID
Changed?

Y
N

Content-ID
Fwd-Egress

13 | ©2017, Palo Alto Networks, Inc.


Troubleshooting Tools

14 | ©2017, Palo Alto Networks, Inc.


Troubleshooting Tools
§ show commands
Especially show log, show counter, and show session all

§ less and tail to follow logs


> tail follow yes mp-log routed.log

§ test to test NAT and Security policy rules

§ Traffic capture with the debug pcap command


> debug routing pcap [bgp | ospf | rip] on
> debug routing pcap show
> debug routing pcap [bgp | ospf | rip] view
> debug routing restart (will restart routed)

15 | ©2017, Palo Alto Networks, Inc.


show counter Command Options
§ global
• name <name>
• filter
˗ aspect Counter aspect
˗ category Counter category
˗ delta Difference from last read
˗ packet-filter Counters for packet that matches debug filter
˗ severity Counter severity
˗ value All or no-zero value

§ interface
Physical and logical traffic, management, interface counters
§ management-server
Simple high-level counts

16 | ©2017, Palo Alto Networks, Inc.


show counter global name ? Command

17 | ©2017, Palo Alto Networks, Inc.


show counter global filter Command
admin@PA-7050> show counter global filter delta yes packet-filter yes
Global counters:
Elapsed time since last sampling: 139.654 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_sent 130 0 info packet pktproc Packets transmitted
pkt_outstanding 130 0 info packet pktproc Outstanding packet to be transmitted
pkt_alloc 111 0 info packet resource Packets allocated
session_allocated 2 0 info session resource Sessions allocated
session_installed 2 0 info session resource Sessions installed
flow_np_pkt_xmt 95 0 info flow offload Packets transmitted to offload processor
flow_host_pkt_xmt 95 0 info flow mgmt Packets transmitted to control plane
flow_host_vardata_rate_limit_ok 89 0 info flow mgmt Host vardata not sent: rate limit ok
flow_lp_pkt_xmt 95 0 info flow mgmt Packets transmitted to log card
flow_lp_pkt_xmt_big 6 0 info flow mgmt Packets bigger than 1500 bytes transmitted to log card
flow_fpga_flow_update 4 0 info flow offload fpga flow update transaction
flow_fpga_rcv_fastpath 27 0 info flow offload fpga packets for fastpath received
flow_fpp_sess_bind_notify 2 0 info flow offload Sess bind notification to FPP
appid_proc 2 0 info appid pktproc The number of packets processed by Application
Identification
appid_use_dfa_1 2 0 info appid pktproc The number of packets using the second DFA table
nat_dynamic_port_xlat 2 0 info nat resource The total number of dynamic_ip_port NAT translate called
dfa_sw 8 0 info dfa pktproc The total number of dfa match using software
dfa_fpga 6 0 info dfa offload The total requests to FPGA for dfa
ctd_sml_exit_detector_i 2 0 info ctd pktproc The number of sessions with sml exit in detector i
ctd_err_bypass 2 0 info ctd pktproc ctd error bypass
ctd_sml_vm_run_impl_opcodeexit 2 0 info ctd pktproc SML VM opcode exit
fpga_request 12 0 info fpga offload The outstanding requests to FPGA
aho_fpga 6 0 info aho resource The total requests to FPGA for AHO
aho_sw 4 0 info aho pktproc The total usage of software for AHO
ctd_pkt_slowpath 10 0 info ctd pktproc Packets processed by slowpath
log_pkt_diag_us 7911 56 info log system Time (us) spend on writing packet-diag logs

18 | ©2017, Palo Alto Networks, Inc.


show counter interface Command

19 | ©2017, Palo Alto Networks, Inc.


Slowpath Troubleshooting Commands
§ show routing route

§ show dos-protection zone

§ show counter global filter delta yes aspect dos

§ test nat-policy-match

§ test security-policy-match

20 | ©2017, Palo Alto Networks, Inc.


test Command
§ Verify, with match criteria, if a policy will function as expected

§ Types:
• Policy: security, NAT, PBF, CP, decryption, QoS
• Content: URL, data filtering, botnet, WildFire
• VPN: IPsec and IKE
• Network: PPPoE, ARP, routing, QoS

21 | ©2017, Palo Alto Networks, Inc.


When Would You Not See a Session?
§ Packet is not subject to firewall inspection, such as non-IP packet, IP multicast
(if multicast-firewalling is not enabled)

§ Forwarding or policy lookup failure:


• There are counters via the show counter global filter category flow
aspect session command that indicate the reason a session is not created.
• Examples: failure of forwarding lookup (cannot get egress interface/zone for policy
lookup, no ARP), failure to get vsys (for policy lookup), Security policy lookup deny
rule, NAT IP/port allocation, etc.

§ Non-SYN TCP seen for first packet. See show session info and global
counter flow_tcp_non_syn_drop.

22 | ©2017, Palo Alto Networks, Inc.


When Would You Not See a Session? (Cont.)
§ To check activity related to the Zone Protection Profile:
• For SYN cookies and/or flood protection:
show counter global filter category flow aspect dos
• For port-scan drops:
show counter global name flow_scan_drop

§ To see if the vsys session maximum is reached:


• show session meter
• show counter global name flow_meter_vsys_throttle

§ To see if the system has run out of sessions:


• show counter global name session_alloc_failure

23 | ©2017, Palo Alto Networks, Inc.


Session Browser
Open the Session Browser page to browse and filter current running
sessions on the firewall.
Monitor > Session
Browser

24 | ©2017, Palo Alto Networks, Inc.


show session Options
§ all
• Potentially large amounts of output
§ id <value>
• Detailed view of one session
§ info
• Firewall-specific summary
• Shows only traffic statistics to the CPU (software switched)
• No information for “fastpath” (hardware) switched traffic
§ meter
• Session count (total number of sessions)
§ rematch
• Shows statistics of last session rematch
25 | ©2017, Palo Alto Networks, Inc.
Packet Capture

26 | ©2017, Palo Alto Networks, Inc.


Packet Capture on WebUI Steps
1. Configure filter(s)
Monitor > Packet Capture
2. Turn filtering on
3. Add capture stage(s) and filename(s)
1
4. Turn Packet Capture on
2 5. Generate test traffic
6. Turn capturing off
Used by Palo Alto
Networks engineering 7. Refresh screen
4 6 8. Export pcap

8
3
Use unique filenames for
each stage.
If the names are the same,
data will be overwritten.

27 | ©2017, Palo Alto Networks, Inc.


Packet Capture Stage
Receive:
Monitor > Packet Capture
§ All packets received by an interface
§ See whether packets are on the wire
Drop:
§ Packets dropped before a session is created
§ See filtered global counters to identify why
drops occur
Firewall:
§ All packets that belong to a session and are
processed by the firewall
Limits capture amount § See what’s inside the box
by number of packets Transmit:
or file size
§ Packets as they egress from the box
§ See the effects of post-packet processing
Clears all settings and (NAT, TCP MSS adjustments, etc.)
turns capture off

28 | ©2017, Palo Alto Networks, Inc.


Packet Filters
admin@PA-4050> debug dataplane packet-diag set filter match ?
+ destination Destination IP address
+ destination-port Destination port
+ ingress-interface Ingress hardware interface name
+ ipv6-only IPv6 packet only
+ non-ip Non-IP packet
+ protocol IP protocol value
+ source Source IP address
+ source-port Source port
<Enter> Finish input

§ Start with very specific filters.


§ Use more generic filters if no traffic is captured.

29 | ©2017, Palo Alto Networks, Inc.


Packet Capture Filters
Monitor > Packet Capture

Define up to four filters, giving each a


unique ID number

30 | ©2017, Palo Alto Networks, Inc.


Packet Capture on CLI
§ Step 1: Start with new settings:
> debug dataplane packet-diag clear all

§ Step 2: Enable packet filters (be specific):


> debug dataplane packet-diag set filter match source <source-ip> destination <dest-ip>
destination-port <dest-port> protocol <proto-#>
> debug dataplane packet-diag set filter on

§ Step 3: Enable packet captures (each stage requires unique filename):


> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture stage drop file dr.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture on

§ Step 4: Generate traffic, then stop captures and view:


> debug dataplane packet-diag set capture off
> view-pcap no-dns-lookup yes filter-pcap <filename>

§ Step 5: If needed, export pcap (can also download from Monitor tab of the WebUI):
> scp export filter-pcap from <filename> to <user@ip-address:path>
> tftp export filter-pcap from <filename> to <tftp-ip>

31 | ©2017, Palo Alto Networks, Inc.


Packet Capture Feature Options
flow basic shows packet handling through the stages of the firewall.

Additional options for deeper debugging:


appid basic – For application identification issues
ctd basic – For predicting session troubleshooting
flow all – To see more than just basic outputs
proxy basic – For proxy situations (i.e., SSL decryption)
ssl basic – For SSL decryption
tcp all – For TCP state check issues (i.e., out-of-wnd drops)

32 | ©2017, Palo Alto Networks, Inc.


Using the flow basic Command
§ Useful if a packet capture shows session drops, but no reason for the drop will
be seen.

§ Gives more detail about:


• What is received and what will be transmitted
• What the firewall action will be, based on the packet
• What/why is the drop action (if applicable)

§ More resource-intensive than other packet capture utilities

§ No capture stages required (but pcaps on all four stages can be useful)

33 | ©2017, Palo Alto Networks, Inc.


packet-diag Log
Gives more detail about:
§ What is received and what will be transmitted
§ What the firewall action will be, based on the packet
§ Why a drop action occurred (if applicable)
§ How “predict” traffic is handled

Caution: This packet capture is more resource-intensive than other packet captures. Never
run it when CPU use is high on the dataplane. Use very specific packet filters and check
CPU use on the dataplane and the management plane before using it. Palo Alto Networks
recommends using a maintenance window, if possible.

34 | ©2017, Palo Alto Networks, Inc.


Flow Basic Best Practice
To minimize risk to active networks, follow these steps:
§ Step 1: Start fresh:
> debug dataplane packet-diag show setting
> debug dataplane packet-diag clear

§ Step 2: Always enable specific filters:


> debug dataplane packet-diag set filter match …
> debug dataplane packet-diag set filter on
> debug dataplane packet-diag show setting

Verify the packet rate with global counters:


> show counter global filter delta yes packet-filter yes

35 | ©2017, Palo Alto Networks, Inc.


Flow Basic Best Practice (Cont.)
§ Step 3: Enable packet capture:
> debug dataplane packet-diag set capture stage receive file rx-file
> debug dataplane packet-diag set capture stage transmit file tx-file
> debug dataplane packet-diag set capture stage drop file dr-file
> debug dataplane packet-diag set capture stage firewall file fw-file
> debug dataplane packet-diag set capture on

Verify settings:
> debug dataplane packet-diag show setting

36 | ©2017, Palo Alto Networks, Inc.


Flow Basic Best Practice (Cont.)
§ Step 4: Clear log and then enable flow basic:
> debug dataplane packet-diag clear log log
> debug dataplane packet-diag set log feature flow basic
> debug dataplane packet-diag set log on

§ Step 5: Capture traffic, then immediately disable debugs starting with log:
> debug dataplane packet-diag set log off
> debug dataplane packet-diag set capture off

§ Step 6: View packet capture and flow basic output:


> debug dataplane packet-diag aggregate-logs
> view-pcap no-dns-lookup yes filter-pcap <filename>
> less dp-log pan_packet_diag.log*

* On PA-200/220, PA-500, and PA-820/850 firewalls,


substitute the command less mp-log <log-name>.
37 | ©2017, Palo Alto Networks, Inc.
Flow Basic Example – show setting Option
admin@PA-820> debug dataplane packet-diag show setting
--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
Enabled: yes
Match pre-parsed packet: no
Index 1: 192.168.0.13[0]->8.8.8.8[0], proto 1
ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
Enabled: yes
Log-throttle: no
Aggregate-to-single-file: yes
Output file size: 14984 of 10485760 Bytes
Features:
flow : basic
Counters:
--------------------------------------------------------------------------------
Packet capture
Enabled: yes
Snaplen: 0
Stage receive : file ping-rx
Captured: packets - 8 bytes - 592
Maximum: packets - 0 bytes - 0
Stage firewall : file ping-fw
Captured: packets - 8 bytes - 592
Maximum: packets - 0 bytes - 0
Stage transmit : file ping-tx
Captured: packets - 8 bytes - 592
Maximum: packets - 0 bytes - 0
Stage drop : file ping-dr
Captured: packets - 0 bytes - 0
Maximum: packets - 0 bytes - 0
--------------------------------------------------------------------------------

38 | ©2017, Palo Alto Networks, Inc.


Flow Basic Example – view-pcap Command
admin@PA-820> view-pcap no-dns-lookup yes filter-pcap ping-rx
reading from file /opt/panlogs/session/pan/filters/ping-rx, link-type EN10MB (Ethernet)
11:56:26.420957 IP 192.168.0.13 > 8.8.8.8: ICMP echo request, id 1, seq 51, length 40
11:56:26.439349 IP 8.8.8.8 > 192.168.0.13: ICMP echo reply, id 1, seq 51, length 40
11:56:27.401154 IP 192.168.0.13 > 8.8.8.8: ICMP echo request, id 1, seq 52, length 40
11:56:27.433215 IP 8.8.8.8 > 192.168.0.13: ICMP echo reply, id 1, seq 52, length 40
11:56:28.398995 IP 192.168.0.13 > 8.8.8.8: ICMP echo request, id 1, seq 53, length 40
11:56:28.430835 IP 8.8.8.8 > 192.168.0.13: ICMP echo reply, id 1, seq 53, length 40
11:56:29.397385 IP 192.168.0.13 > 8.8.8.8: ICMP echo request, id 1, seq 54, length 40
11:56:29.428937 IP 8.8.8.8 > 192.168.0.13: ICMP echo reply, id 1, seq 54, length 40

admin@PA-820> view-pcap no-dns-lookup yes filter-pcap ping-tx


reading from file /opt/panlogs/session/pan/filters/ping-tx, link-type EN10MB (Ethernet)
11:56:26.421449 IP 192.168.0.13 > 8.8.8.8: ICMP echo request, id 1, seq 51, length 40
11:56:26.439864 IP 8.8.8.8 > 192.168.0.13: ICMP echo reply, id 1, seq 51, length 40
11:56:27.402008 IP 192.168.0.13 > 8.8.8.8: ICMP echo request, id 1, seq 52, length 40
11:56:27.433724 IP 8.8.8.8 > 192.168.0.13: ICMP echo reply, id 1, seq 52, length 40
11:56:28.399845 IP 192.168.0.13 > 8.8.8.8: ICMP echo request, id 1, seq 53, length 40
11:56:28.431438 IP 8.8.8.8 > 192.168.0.13: ICMP echo reply, id 1, seq 53, length 40
11:56:29.398194 IP 192.168.0.13 > 8.8.8.8: ICMP echo request, id 1, seq 54, length 40
11:56:29.429540 IP 8.8.8.8 > 192.168.0.13: ICMP echo reply, id 1, seq 54, length 40

If packets are delivered correctly, then packets seen on RX


capture are also seen on TX capture.
39 | ©2017, Palo Alto Networks, Inc.
Flow Basic Example – Ingress Stage
admin@PA-820> less dp-log pan_packet_diag.log

== Jan 22 11:56:26 ==
Packet received at ingress stage
Packet info: len 74 port 17 interface 17 vsys 1
wqe index 229102 packet 0x0x80000000b8fbe0c6
Packet decoded dump:
L2: 00:26:88:f9:53:46->00:26:88:f9:53:47, type 0x0800
IP: 192.168.0.13->8.8.8.8, protocol 1
version 4, ihl 5, tos 0x00, len 60,
id 11056, frag_off 0x0000, ttl 127, checksum 16332
ICMP: type 8, code 0, checksum 19752, id 1, seq 51
Flow lookup, key word0 0x1003300010100 word1 0
No active flow found, enqueue to create session

§ Note the IP datagram ID (11056). This identifier also can be used to


match the same packet at different stages.
§ No active flow is found in this example. The next action will be slowpath
for first packet processing.

40 | ©2017, Palo Alto Networks, Inc.


Flow Basic Example – Slowpath Stage
== Jan 22 11:56:26 ==
Packet received at slowpath stage
Packet info: len 74 port 17 interface 17 vsys 1
wqe index 229102 packet 0x0x80000000b8fbe0c6
Packet decoded dump:
L2: 00:26:88:f9:53:46->00:26:88:f9:53:47, type 0x0800
IP: 192.168.0.13->8.8.8.8, protocol 1
version 4, ihl 5, tos 0x00, len 60,
id 11056, frag_off 0x0000, ttl 127, checksum 16332
ICMP: type 8, code 0, checksum 19752, id 1, seq 51
Session setup: vsys 1
Session setup: ingress interface ethernet1/2 egress interface ethernet1/1 (zone 2)
Policy lookup, matched rule index 2
DP0 is selected to process this session.
Allocated new session 62387.
Created session, enqueue to install

§ Slowpath shows the ingress interface and the egress interface. Note that the
policy lookup matches a rule, and that the session is allocated. Check the
session ID to see which rule was matched:
> show session id 62387

41 | ©2017, Palo Alto Networks, Inc.


Flow Basic Example – Fastpath/Forwarding
== Jan 22 11:56:26 ==
Packet received at fastpath stage
Packet info: len 74 port 17 interface 17 vsys 1
wqe index 229102 packet 0x0x80000000b8fbe0c6
Packet decoded dump:
L2: 00:26:88:f9:53:46->00:26:88:f9:53:47, type 0x0800
IP: 192.168.0.13->8.8.8.8, protocol 1
version 4, ihl 5, tos 0x00, len 60,
id 11056, frag_off 0x0000, ttl 127, checksum 16332
ICMP: type 8, code 0, checksum 19752, id 1, seq 51
Flow fastpath, session 62387

== Jan 22 11:56:26 ==
Packet received at forwarding stage
Packet info: len 74 port 17 interface 17 vsys 1
wqe index 229102 packet 0x0x80000000b8fbe0c6
Packet decoded dump:
L2: 00:26:88:f9:53:46->00:26:88:f9:53:47, type 0x0800
IP: 192.168.0.13->8.8.8.8, protocol 1
version 4, ihl 5, tos 0x00, len 60,
id 11056, frag_off 0x0000, ttl 127, checksum 16332
ICMP: type 8, code 0, checksum 19752, id 1, seq 51
Forwarding lookup, ingress interface 17
Virtual-wire mode, ingress if 17, egress if 16
Transmit packet on port 16

Forwarding lookup occurs during the forwarding stage, and for every packet. Port
indexes can be viewed with the following command:
> show interface all
42 | ©2017, Palo Alto Networks, Inc.
Offloaded Traffic
§ If only the first few packets of a session are being captured, one possible
reason is that the session was offloaded:
• Offloaded packets are not processed by the CPU.

§ Offloaded packets will not be caught in the packet capture.

§ Offloading can be temporarily disabled by running the following command:


> set session offload no

43 | ©2017, Palo Alto Networks, Inc.


Session Offload
§ For platforms with hardware offload capability, actual performance is higher.
Maximum performance is achieved through session offloading.

§ If there is no further need to perform application processing, then a session can


be offloaded (encrypted traffic, certain UDP streams, etc.).

§ Certain traffic will not offload (such as, web-browsing, ping).

§ An offloaded session will show as Layer 7 completed.

§ An offloaded session will be no longer visible by dataplane packet-diag


(flow basic or packet captures).

Note: All platforms offload except PA-200/220, PA-500, PA-820/850, and VMs.

44 | ©2017, Palo Alto Networks, Inc.


Disabling Offloading
Under what conditions does the firewall offload network traffic?
§ Any traffic that does not perform application shifts and contains no known threats
§ Any encrypted traffic that is not being decrypted (SSL/SSH)
§ Any network protocols (OSPF, BGP, RIP)
§ During application override (bypass application engine)
Offloading is often disabled during troubleshooting because offloaded sessions
are not visible to dataplane packet-diag (flow basic or packet captures).
To manually disable offloading:
admin@PA-4050# set deviceconfig setting session offload no
admin@PA-4050> set session offload no

45 | ©2017, Palo Alto Networks, Inc.


Questions?

46 | ©2017, Palo Alto Networks, Inc.


Secures the Network

47 | ©2017, Palo Alto Networks, Inc.

You might also like