Palo Alto Networks Knowledgebase: Disabling Session Offload to Record Traffic During Packet Capture

Disabling Session Offload to Record Traffic During Packet Capture

12132
Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM
Content Release Deployment
Resolution

Overview

This document describes what is excluded from packet captures taken on the Palo Alto Networks firewall due to session offloading and how to disable session offloading temporarily to capture all traffic.

 

Details

Packet captures in PAN-OS are performed strictly in the dataplane CPU on the firewall. During the ingress stage, the firewall performs packet parsing checks and any packets discarded at this step will not be included in the packet capture. Any traffic that is offloaded by the firewall will also not be included in the packet capture. Traffic such as encrypted traffic (SSL/SSH), network protocols (OSPF, BGP, RIP), application overrides, and terminating applications can be offloaded. For more information on session offloading, see: Why and When are Sessions Offloaded?

 

When troubleshooting an issue that requires the packet capture of all traffic, offloading can be temporarily disabled. Disabling session offload forces all traffic to be processed by the dataplane CPU. Use the following CLI command to temporarily disable offloading from the CLI:

> set session offload no

 

Warning! Care should be taken before disabling the session offload feature: Disabling offloading will increase the dataplane CPU. If the dataplane CPU is already high, you may want to schedule a maintenance window first. Some types of sessions will never be offloaded, such as ARP, all non-IP traffic, IPSEC, vpn sessions, SYN, FIN, and RST packets. Traffic requiring scanning will be included in the packet capture.

 

After the packet captures are complete, please make sure to re-enable session offload:

> set session offload yes

 

The above command "set session offload no" is executed in operational mode and is not persistent: it will not survive a commit or a device reboot. If a manual commit is done, an auto-commit is triggered or if the device is rebooted, the session offload setting reverts back to default settings, which is the enabled state.

 

To make the settings persistent and survive a commit or reboot, we need to configure it from the configuration mode with the following command: 

 

> configure
# set deviceconfig setting session offload no
# commit

 

To revert the changes made from configuration mode, please execute the below commands,

 

# set deviceconfig setting session offload yes
# commit

 or 

# delete deviceconfig setting session offload
# commit

 

The following Palo Alto Networks platforms support offloading:

PA-2000, PA-3050, PA-3060, PA-3060, PA-4000, PA-5000, and PA-7000

 

owner: pmak



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldYCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language