When it comes to managing a network’s security infrastructure, troubleshooting is an essential skill. Experience plays a huge role in how quickly and efficiently issues can be identified and resolved, especially when working with complex firewalls like Palo Alto. Whether you’re diagnosing connectivity problems or identifying why specific traffic isn’t passing through as expected, a solid understanding of the tools available can significantly improve your troubleshooting speed and accuracy.

In this blog, we’ll focus specifically on troubleshooting traffic flows within a Palo Alto Firewall environment. We’ll examine key elements like Security Policies and the tools that help monitor and analyze traffic. Effective troubleshooting of traffic issues depends on understanding where the breakdown is happening: whether traffic is blocked due to a policy, incorrectly routed, or impacted by other firewall settings.

This post will walk through four essential troubleshooting tools that will help you resolve traffic-related issues quickly and effectively:

1. Packet Capture
2. Session Browser
3. Traffic Logs
4. CLI “show session” command

These tools generally serve a unique purpose and offer a different perspective on traffic behavior. For example, the Session Browser displays active or recently active connections, while Traffic Logs show historical records of all traffic that has passed through the firewall. Understanding these differences helps in selecting the right tool for the right task.

Packet Capture

Packet Capture (Monitor -> Packet Capture) is one of the most powerful tools available on Palo Alto firewalls. It allows you to capture real-time traffic at different stages (from ingress to egress) and is invaluable when you need granular insight into the packets entering and exiting the firewall. This tool helps in identifying issues at the packet level, such as malformed packets or inconsistencies in the traffic flow that might not be obvious when looking at logs or session data.

When to use:

• Troubleshooting deep packet issues
• Verifying whether packets are reaching the firewall and how they are being processed
• Diagnosing more intricate traffic problems that may not be obvious from logs or sessions

Sample output:

While the Session Browser and Logs give you a more aggregated view of connections and traffic flow, Packet Capture offers raw data, giving you complete visibility into each packet’s journey through the firewall.

Session Browser

The Session Browser tool (Monitor -> Session Browser) allows you to view active and recently active sessions on the firewall. It shows you the state of the connection, which policies are being applied, and the path traffic is taking through the firewall. It’s particularly useful when you’re trying to understand whether a session is allowed or denied by the firewall, or if the session has been terminated unexpectedly.

When to use:

• Checking current or recently established sessions
• Determining whether traffic is being allowed or blocked by a policy
• Investigating whether sessions are dropping prematurely

Sample output:

Session Browser focuses on live or recent sessions, unlike our next tool, Traffic Logs, that provide a record of all past traffic – whether current or not.

Traffic Logs

The Traffic Logs (Monitor -> Logs -> Traffic) provide a historical record of traffic that has passed through the firewall. This log includes detailed information about each connection, including source and destination IPs, ports, application, and whether the traffic was allowed or denied by a security policy. The logs also help trace issues that may not be happening in real time but were reported by users at an earlier time.

When working with Traffic Logs on a Palo Alto Firewall, it’s important to understand the difference between logging at session start and logging at session end. This choice impacts how and when traffic entries appear in the logs, and understanding this distinction is crucial when troubleshooting network traffic:

• When you enable logging at session start, the firewall logs the session as soon as it’s initiated. This includes details such as the source and destination IPs, ports, application, and the initial security policy decision. However, the log will not include any information about how the session ended or the total amount of data transferred—only the initial state is captured
• On the other hand, logging at session end captures details only after the session has been closed. This provides a complete view of the session, including the amount of data transferred, how the session was terminated, and the final security policy enforcement decision

The primary difference between these two logging options is timing. Logging at session start gives you immediate visibility into traffic but provides limited information about the session’s lifecycle. Logging at session end provides a complete picture but with a delay, as no logs are generated until the session finishes. In many environments, it’s common to log at session end by default, as it offers the most comprehensive information. However, for troubleshooting purposes, logging at session start can be valuable if you need to monitor live traffic or diagnose issues that occur at the beginning of a session.

When to use:

• Investigating past incidents of blocked or allowed traffic
• Searching for traffic anomalies over time
• Checking security policy enforcement on past traffic

Sample output:

Traffic Logs provide a historical view of all traffic, whereas the Session Browser gives you only a snapshot of the currently active or recent sessions. Logs are crucial when diagnosing issues that have already occurred.

CLI “show session” Command

The following CLI command:

show session

is a command-line tool that provides information similar to the Session Browser but with more flexibility. It allows you to filter sessions by different parameters like IP address, ports, or application. This tool is particularly helpful when you need quick access to session data from a command line interface, making it a go-to for network engineers who prefer working in the CLI.

When to use:

• Quick troubleshooting in environments where the GUI is inaccessible or less efficient
• Filtering sessions by specific parameters to get more focused data
• Verifying details of a particular session, such as the firewall’s decision on traffic or how NAT and security policies are applied

Sample output:

While the “show session” command and Session Browser show active or recent sessions, the CLI tool provides more filtering options and faster access for users who prefer command-line interfaces.

Cybrec’s Palo Alto Firewall Troubleshooting Video Series

If you’re looking for a deeper dive into troubleshooting Palo Alto Firewalls, be sure to check out the Troubleshooting Palo Alto Networks Firewall video series. This course not only covers traffic flow issues but also explores common challenges and troubleshooting tools for other critical aspects of the firewall, such as interfaces, decryption, and VPNs. Whether you’re a beginner or looking to refine your skills, this course is designed to provide the hands-on experience and expert knowledge you need to troubleshoot effectively and confidently across various firewall functions.

—

Each of the tools discussed in this article offers a different perspective on how traffic is flowing through the firewall. Whether you’re analyzing live sessions, reviewing historical logs, or inspecting individual packets, choosing the right tool for the task at hand is essential to effective troubleshooting.