Scribd
Upload
409 views

Basics of Traffic Monitor Filtering Knowledge Base Palo Alto Networks

Uploaded by

dezaxxl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
409 views

Basics of Traffic Monitor Filtering Knowledge Base Palo Alto Networks

Uploaded by

dezaxxl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Customer Support Find answers  Sign In

Other users

Basics of Traffic Monitor Filtering also viewed:
Created On 09/25/18 19:02 PM - Last 210504
 Support Home
Updated 03/03/20 04:45 AM
 Resources Actions
TRAFFIC LOG DEVICE MANAGEMENT 8.1 7.1 9.0

PAN-OS
 Print
 Copy Link
Environment
Any PAN-OS.
Palo Alto Firewall. Attachments

Resolution
Choose
When Trying to search for a log with a source IP, destination IP or
any other flags, Filters can be used. The filters need to be put in Language
the search section under GUI: Monitor > Logs > Traffic (or other
logs). This document  demonstrates several methods of filtering English
and looking for specific types of traffic on Palo Alto Networks
firewalls. Categories of filters include  host, zone, port, or
date/time. At the end of the list, we include a  few  examples
that combine various filters for more comprehensive searching.

Host Traffic Filter Examples

1. From Host a.a.a.a

         (addr.src in a.a.a.a)
          example: (addr.src in 1.1.1.1) 
          Explanation: shows all traffic from host ip address
that matches 1.1.1.1 (addr.src in a.a.a.a)
 

2. To Host b.b.b.b

         (addr.dst in b.b.b.b)
         example: (addr.dst in 2.2.2.2) 
                  Explanation: shows all traffic with a destination
address of a host that matches 2.2.2.2
 

3. From Host a.a.a.a to Host b.b.b.b

        (addr.src in a.a.a.a) and (addr.dst in b.b.b.b)


        example: (addr.src in 1.1.1.1) and (addr.dst in 2.2.2.2)
        Explanation: shows all traffic coming from a host with
an IP  address of 1.1.1.1 and going to a host destination
address of 2.2.2.2
 

Customer Support
4. To Host Range Find answers  Sign In

        Note that you cannot specify an actual range but can


use CIDR notation to specify a network range of addresses
        (addr.src in a.a.a.a/CIDR)
        example:  (addr.src in 10.10.10.2/30)
        Explanation:  shows all traffic coming from addresses
ranging from 10.10.10.1 - 10.10.10.3.
 

5. To or From Host a.a.a.a

        (addr in a.a.a.a)
        example: (addr in 1.1.1.1) 
                Explanation: shows all traffic with a source OR
destination address of a host that matches 1.1.1.1

Zone Traffic Filter Examples:


 
1. From Zone zone_a

        (zone.src eq zone_a)
        example: (zone.src eq PROTECT)
                Explanation: shows all traffic coming from the
PROTECT zone
 

2. To Zone zone_b

        (zone.dst eq zone_b)
        example: (zone.dst eq OUTSIDE)
        Explanation: shows all traffic going out the OUTSIDE
zone
 

3. From Zone zone_a to Zone zone_b

          (zone.src eq zone_a) and (zone.dst eq zone_b)


          example: (zone.src eq PROTECT) and (zone.dst eq
OUTSIDE)
                    Explanation: shows all traffic traveling from the
PROTECT zone and going out the OUTSIDE zone

Port Traffic Filter Examples:


 

1. From Port aa

          (port.src eq aa)
          example: (port.src eq 22)
          Explanation: shows all traffic traveling from source
port 22
 

2. To Port aa

          (port.dst eq bb)
          example: (port.dst eq 25)
          Explanation: shows all traffic traveling to destination
port 25
 

3. From Port aa TO Port bb


          (port.src eq aa) and (port.dst eq bb)
          example: (port.src eq 23459) and (port.dst eq 22)
Customer Support Find answers
          Explanation: shows all traffic traveling from source
 Sign In
port 23459 and traveling to destination port 22

4. From All Ports Less Than or Equal To Port aa

          (port.src leq aa)


          example: (port.src leq 22)
          Explanation: shows all traffic traveling from source
ports 1-22
 

5. From All Ports Greater Than Or Equal To Port aa

          (port.src geq aa)


          example: (port.src geq 1024)
          Explanation: shows all traffic traveling from source
ports 1024 - 65535
 

6. To All Ports Less Than Or Equal To Port aa

         (port.dst leq aa)


         example: (port.dst leq 1024)
         Explanation: shows all traffic traveling to destination
ports 1-1024
 

7. To All Ports Greater Than Or Equal To Port aa

          (port.dst geq aa)


          example: (port.dst geq 1024)
                    Explanation: shows all traffic traveling  to
destination ports 1024-65535
 

8. From Port Range aa Through bb

          (port.src geq aa) and (port.src leq bb)


          example: (port.src geq 20) and (port.src leq 53)
          Explanation: shows all traffic traveling from source
port range 20-53
 

9. To Port Range aa Through bb

          (port.dst geq aa) and (port.dst leq bb)


                    example: (port.dst geq 1024) and (port.dst leq
13002)
          Explanation: shows all traffic traveling to destination
ports 1024 - 13002

Date/Time Traffic Filter Examples:

1. All Traffic for a Specific Date yyyy/mm/dd And Time hh:mm:ss

         (receive_time eq 'yyyy/mm/dd hh:mm:ss')


         example: (receive_time eq '2015/08/31 08:30:00')
                  Explanation: shows all traffic that was received on
August 31, 2015 at 8:30am
 
2. All Traffic Received On Or Before The Date yyyy/mm/dd And
Time hh:mm:ss
Customer Support Find answers  Sign In
          (receive_time leq 'yyyy/mm/dd hh:mm:ss')
          example: (receive_time leq '2015/08/31 08:30:00')
          Explanation: shows all traffic that was received on or
before August 31, 2015 at 8:30am
 

3. All Traffic Received On Or After The Date yyyy/mm/dd And


Time hh:mm:ss

          (receive_time geq 'yyyy/mm/dd hh:mm:ss')


          example: (receive_time geq '2015/08/31 08:30:00')
          Explanation: shows all traffic that was received on or
after August 31, 2015 at 8:30am

4. All Traffic Received Between The Date-Time Range


Of yyyy/mm/dd hh:mm:ss and YYYY/MM/DD HH:MM:SS

                  (receive_time geq 'yyyy/mm/dd hh:mm:ss') and


(receive_time leq 'YYYY/MM/DD HH:MM:SS')
         example: (receive_time geq '2015/08/30 08:30:00')
and (receive_time leq '2015/08/31 01:25:00')
                  Explanation: shows all traffic that was
received  between August 30, 2015 8:30am and August
31, 2015 01:25 am

Interface Traffic Filter Examples:

1. All Traffic Inbound On Interface ethernet1/x

          (interface.src eq 'ethernet1/x')
          example: (interface.src eq 'ethernet1/2')
          Explanation: shows all traffic that was received on
the PA Firewall interface Ethernet 1/2
 

2. All Traffic Outbound On Interface ethernet1/x

          (interface.dst eq 'ethernet1/x')
          example: (interface.dst eq 'ethernet1/5')
          Explanation: shows all traffic that was sent out on
the PA Firewall interface Ethernet 1/5

Allowed/Denied Traffic Filter Examples

1. All Traffic That Has Been Allowed By The Firewall Rules

         (action eq allow)
          OR
         (action neq deny)

example: (action eq allow)


Explanation: shows all traffic allowed by the firewall rules.
  Placing the letter 'n' in front of  'eq' means 'not equal to,'
so anything not equal to 'deny' is  displayed, which is any
allowed traffic.
 

2. All Traffic Denied By The FireWall Rules.


          (action eq deny)
          OR
Customer Support Find
         (action neq allow)
answers  Sign In

example: (action eq deny)


Explanation: shows all traffic denied by the firewall rules.
Placing the letter 'n' in front of 'eq' means 'not equal to,' so
anything not equal to 'allow' is  displayed, which is
any denied traffic.

Combining Traffic Filter Examples

1. All Traffic From Zone Outside And Network 10.10.10.0/24


TO Host Address 20.20.20.21 In The Protect Zone:

          (zone.src eq OUTSIDE) and (addr.src in


10.10.10.0/24) and (addr.dst in 20.20.20.21) and
(zone.dst eq PROTECT)
 

2. All Traffic From Host 1.2.3.4 to Host 5.6.7.8 For The Time
Range 8/30/2015 -08/31/2015

          (addr.src in 1.2.3.4) and (addr.dst in 5.6.7.8) and


(receive_time geq '2015/08/30 00:00:00') and
(receive_time leq '2015/08/31 23:59:59')
 

Additional Information
A good practice when drilling down into the traffic log when
the search starts off with little to no information, is to start
from least specific and add filters to more specific.
When troubleshooting, instead of directly filtering for a specific
app, try filtering  for all apps except the ones you know you
don't need, for example '(app neq dns) and (app neq ssh)'
You can also throw in protocols you don't need (proto neq
udp) or IP ranges ( addr.src notin 192.168.0.0/24 )
This practice helps you drill  down to the traffic of interest
without losing an overview by searching too narrowly from the
start.

Attachments

Company

About Palo Alto Networks

Careers

Legal Notices

Privacy

Terms of Use
Resources
Customer
Support
Support Find answers  Sign In

Live Community

Email Subscription

Beacon

© 2020 Palo Alto Networks, Inc. All rights reserved.

a51e12a918ebc5e13df4fa789ea5f12b206b9b88618b27aae24c669a71415fa9

You might also like