The Palo Alto Networks firewall has several daemons that operate in a listening or active mode on the dataplane and that provide different services to your network connected hosts or users. To verify if certain processes are functioning normally, collecting packet captures is a surefire way of making sure requests are received and responded to.
Rather than setting up a 'packet-diag' full packet capture, potentially capturing too much data and needing to filter through large volumes of packets just to get to the interesting bit of information, daemons can be set to perform packet captures on their own processes. This will allow an administrator to simply see what packets are being processed by a single daemon.
The following commands address specific daemons and enable their packet capture feature:
The device server to verify cloud lookups for URL filtering
> debug device-server pcap on
The DHCP daemon
> debug dhcpd pcap on
The IKE manager for GlobalProtect, satellite or site-to-site VPN, phase 1 negotiation
> debug ike pcap on
The Link Layer Discovery Protocol, layer 2 control daemon
> debug l2ctrld lldp pcap on
The captive portal
> debug l3svc pcap on
The PPPoE daemon
> debug pppoed pcap on
The routing engine can collect packet captures depending on the protocol, or all
> debug routing pcap
> all
> bgp
> igmp
> ospf
> ospfv3
> pim
> rip
The pcap command comes with a few more options:
> delete delete collected pcap files
> off disable the packet capture
> show shows a list of collected packet capture files
> view display the currently active packet capture, if the daemon is set to 'on'
Alternatively, all available debug packet captures can be listed and viewed through the view-pcap command:
admin@myNGFW> view-pcap debug-pcap
dhcp-vr-0.pcap.pipe ds-url-reqs-vr-0.pcap ds-url-reqs-vr-0.pcap.pipe ikemgr.pcap dhcp-vr-0.pcap
admin@myNGFW> view-pcap debug-pcap dhcp-vr-0.pcap
10:54:26.446461 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:0c:29:5a:9e:1b (oui Unknown), length: 300
10:54:27.452142 IP 192.168.0.241.6700 > 127.130.1.240.kti-icad-srvr: UDP, length 336
Packet captures can also be exported via SCP or TFTP so they can be viewed via wireshark
> scp export debug-pcap from dhcp-vr-0.pcap to admin@10.0.0.1:/pcaps/
Like learning about packet captures to troubleshoot daemons? Thumbs up below?
Thanks!