Basics of Traffic Monitor Filtering

Basics of Traffic Monitor Filtering

191928
Created On 09/25/18 19:02 PM - Last Updated 03/03/20 04:45 AM


Environment
  • Any PAN-OS.
  • Palo Alto Firewall.


Resolution

When Trying to search for a log with a source IP, destination IP or any other flags, Filters can be used. The filters need to be put in the search section under GUI: Monitor > Logs > Traffic (or other logs). This document demonstrates several methods of filtering and looking for specific types of traffic on Palo Alto Networks firewalls. Categories of filters include host, zone, port, or date/time. At the end of the list, we include a few examples that combine various filters for more comprehensive searching.

Monitor

Host Traffic Filter Examples

  1. From Host a.a.a.a

         (addr.src in a.a.a.a)
          example: (addr.src in 1.1.1.1) 
          Explanation: shows all traffic from host ip address that matches 1.1.1.1 (addr.src in a.a.a.a)
 

  1. To Host b.b.b.b

         (addr.dst in b.b.b.b)
         example: (addr.dst in 2.2.2.2) 
         Explanation: shows all traffic with a destination address of a host that matches 2.2.2.2
 

  1. From Host a.a.a.a to Host b.b.b.b

        (addr.src in a.a.a.a) and (addr.dst in b.b.b.b)
        example: (addr.src in 1.1.1.1) and (addr.dst in 2.2.2.2)
        Explanation: shows all traffic coming from a host with an IP address of 1.1.1.1 and going to a host destination address of 2.2.2.2

 

  1. To Host Range

        Note that you cannot specify an actual range but can use CIDR notation to specify a network range of addresses
        (addr.src in a.a.a.a/CIDR)
        example:  (addr.src in 10.10.10.2/30)
        Explanation:  shows all traffic coming from addresses ranging from 10.10.10.1 - 10.10.10.3.
 

  1. To or From Host a.a.a.a

        (addr in a.a.a.a)
        example: (addr in 1.1.1.1) 
        Explanation: shows all traffic with a source OR destination address of a host that matches 1.1.1.1

 

Zone Traffic Filter Examples:

 
  1. From Zone zone_a

        (zone.src eq zone_a)
        example: (zone.src eq PROTECT)
        Explanation: shows all traffic coming from the PROTECT zone
 

  1. To Zone zone_b

        (zone.dst eq zone_b)
        example: (zone.dst eq OUTSIDE)
        Explanation: shows all traffic going out the OUTSIDE zone
 

  1. From Zone zone_a to Zone zone_b

          (zone.src eq zone_a) and (zone.dst eq zone_b)
          example: (zone.src eq PROTECT) and (zone.dst eq OUTSIDE)
          Explanation: shows all traffic traveling from the PROTECT zone and going out the OUTSIDE zone

 

Port Traffic Filter Examples:

 

  1. From Port aa

          (port.src eq aa)
          example: (port.src eq 22)
          Explanation: shows all traffic traveling from source port 22
 

  1. To Port aa

          (port.dst eq bb)
          example: (port.dst eq 25)
          Explanation: shows all traffic traveling to destination port 25
 

  1. From Port aa TO Port bb

          (port.src eq aa) and (port.dst eq bb)
          example: (port.src eq 23459) and (port.dst eq 22)
          Explanation: shows all traffic traveling from source port 23459 and traveling to destination port 22

 

  1. From All Ports Less Than or Equal To Port aa

          (port.src leq aa)
          example: (port.src leq 22)
          Explanation: shows all traffic traveling from source ports 1-22
 

  1. From All Ports Greater Than Or Equal To Port aa

          (port.src geq aa)
          example: (port.src geq 1024)
          Explanation: shows all traffic traveling from source ports 1024 - 65535
 

  1. To All Ports Less Than Or Equal To Port aa

         (port.dst leq aa)
         example: (port.dst leq 1024)
         Explanation: shows all traffic traveling to destination ports 1-1024
 

  1. To All Ports Greater Than Or Equal To Port aa

          (port.dst geq aa)
          example: (port.dst geq 1024)
          Explanation: shows all traffic traveling to destination ports 1024-65535
 

  1. From Port Range aa Through bb

          (port.src geq aa) and (port.src leq bb)
          example: (port.src geq 20) and (port.src leq 53)
          Explanation: shows all traffic traveling from source port range 20-53
 

  1. To Port Range aa Through bb

          (port.dst geq aa) and (port.dst leq bb)
          example: (port.dst geq 1024) and (port.dst leq 13002)
          Explanation: shows all traffic traveling to destination ports 1024 - 13002

 

Date/Time Traffic Filter Examples:

  1. All Traffic for a Specific Date yyyy/mm/dd And Time hh:mm:ss

         (receive_time eq 'yyyy/mm/dd hh:mm:ss')
         example: (receive_time eq '2015/08/31 08:30:00')
         Explanation: shows all traffic that was received on August 31, 2015 at 8:30am
 

  1. All Traffic Received On Or Before The Date yyyy/mm/dd And Time hh:mm:ss

          (receive_time leq 'yyyy/mm/dd hh:mm:ss')
          example: (receive_time leq '2015/08/31 08:30:00')
          Explanation: shows all traffic that was received on or before August 31, 2015 at 8:30am
 

  1. All Traffic Received On Or After The Date yyyy/mm/dd And Time hh:mm:ss

          (receive_time geq 'yyyy/mm/dd hh:mm:ss')
          example: (receive_time geq '2015/08/31 08:30:00')
          Explanation: shows all traffic that was received on or after August 31, 2015 at 8:30am

 

  1. All Traffic Received Between The Date-Time Range Of yyyy/mm/dd hh:mm:ss and YYYY/MM/DD HH:MM:SS

         (receive_time geq 'yyyy/mm/dd hh:mm:ss') and (receive_time leq 'YYYY/MM/DD HH:MM:SS')
         example: (receive_time geq '2015/08/30 08:30:00') and (receive_time leq '2015/08/31 01:25:00')
         Explanation: shows all traffic that was received between August 30, 2015 8:30am and August 31, 2015 01:25 am

 

Interface Traffic Filter Examples:

  1. All Traffic Inbound On Interface ethernet1/x

          (interface.src eq 'ethernet1/x')
          example: (interface.src eq 'ethernet1/2')
          Explanation: shows all traffic that was received on the PA Firewall interface Ethernet 1/2
 

  1. All Traffic Outbound On Interface ethernet1/x

          (interface.dst eq 'ethernet1/x')
          example: (interface.dst eq 'ethernet1/5')
          Explanation: shows all traffic that was sent out on the PA Firewall interface Ethernet 1/5

 

Allowed/Denied Traffic Filter Examples

  1. All Traffic That Has Been Allowed By The Firewall Rules

         (action eq allow)
          OR
         (action neq deny)

example: (action eq allow)
Explanation: shows all traffic allowed by the firewall rules.  Placing the letter 'n' in front of 'eq' means 'not equal to,' so anything not equal to 'deny' is displayed, which is any allowed traffic.
 

  1. All Traffic Denied By The FireWall Rules.

          (action eq deny)
          OR
         (action neq allow)

example: (action eq deny)
Explanation: shows all traffic denied by the firewall rules. Placing the letter 'n' in front of 'eq' means 'not equal to,' so anything not equal to 'allow' is displayed, which is any denied traffic.


Combining Traffic Filter Examples

  1. All Traffic From Zone Outside And Network 10.10.10.0/24 TO Host Address 20.20.20.21 In The Protect Zone:

          (zone.src eq OUTSIDE) and (addr.src in 10.10.10.0/24) and (addr.dst in 20.20.20.21) and (zone.dst eq PROTECT)
 

  1. All Traffic From Host 1.2.3.4 to Host 5.6.7.8 For The Time Range 8/30/2015 -08/31/2015

          (addr.src in 1.2.3.4) and (addr.dst in 5.6.7.8) and (receive_time geq '2015/08/30 00:00:00') and (receive_time leq '2015/08/31 23:59:59')
 



Additional Information
  • A good practice when drilling down into the traffic log when the search starts off with little to no information, is to start from least specific and add filters to more specific.
  • When troubleshooting, instead of directly filtering for a specific app, try filtering for all apps except the ones you know you don't need, for example '(app neq dns) and (app neq ssh)'
  • You can also throw in protocols you don't need (proto neq udp) or IP ranges ( addr.src notin 192.168.0.0/24 )
  • This practice helps you drill down to the traffic of interest without losing an overview by searching too narrowly from the start.

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language