Palo Alto - tcpdump filter example
On Palo Alto Networks firewalls, tcpdump is used for capturing packets traversing the management interface (MGT). While tcpdump on a Palo Alto firewall offers a more limited set of options compared to a full Linux implementation, it still supports filtering to focus on specific traffic.
Basic Usage and Filtering:
- Access the CLI: Launch an SSH session to the firewall using a terminal emulation application like PuTTY.
- Start
tcpdumpwith a filter: The command syntax for filtering is:
Filters must be enclosed in double quotes.
Common Filter Expressions:
- Host:
host x.x.x.x(captures traffic to/from a specific IP address) - Source Host:
src host x.x.x.x(captures traffic originating from a specific IP address) - Destination Host:
dst host x.x.x.x(captures traffic destined for a specific IP address) - Port:
port YYY(captures traffic using a specific port number) - Source Port:
src port YYY(captures traffic originating from a specific port) - Destination Port:
dst port YYY(captures traffic destined for a specific port) - Protocol:
tcp,udp,icmp, etc. (captures traffic of a specific protocol) - Network:
net A.B.C.D/X(captures traffic within a specific network range)
Combining Filters:
You can combine filter expressions using logical operators:
- AND:
and - OR:
or - NOT:
not
Examples:
- Capture traffic to/from a specific host on port 443:
- Capture all traffic to/from a specific network, excluding SSH (port 22):
Capture DNS (port 53) traffic.
Important Notes:
tcpdumpon the Palo Alto firewall explicitly captures on the management interface, so you do not need to specify an interface.- The captured data is stored in
mgmt.pcapand is overwritten each timetcpdumpis run. - To stop the capture, press
Ctrl + C. - For detailed analysis, export the
mgmt.pcapfile to a network packet analyzer like Wireshark. - Avoid overly broad filters (e.g.,
net 0.0.0.0/0) as they can impact performance.
Comments
Post a Comment