Disabling Session Offload to Record Traffic During Packet Capture

Disabling Session Offload to Record Traffic During Packet Capture

130420
Created On 09/25/18 19:48 PM - Last Modified 01/23/24 14:11 PM


Symptom


Packet captures in PAN-OS are performed strictly in the dataplane CPU on the firewall. During the ingress stage, the firewall performs packet parsing checks and any packets discarded at this step will not be included in the packet capture. Any traffic that is offloaded by the firewall will also not be included in the packet capture. Offloading means that traffic is offloaded to a hardware chip, for faster packet processing. Traffic such as encrypted traffic (SSL/SSH), network protocols (OSPF, BGP, RIP), application overrides, and terminating applications can be offloaded. 

 



Environment


  • Palo Alto Firewall
  • PAN-OS 8.1 and above


Resolution


When troubleshooting an issue that requires the packet capture of all traffic, Offloading can be temporarily disabled. Disabling session offload forces all traffic to be processed by the dataplane CPU. Use the following CLI command to temporarily disable offloading from the CLI:

> set session offload no

Warning! Care should be taken before disabling the session offload feature: Disabling offloading will increase the dataplane CPU. Schedule a maintenance window to avoid outage due to high dataplane CPU. Some types of sessions will never be offloaded, such as ARP, all non-IP traffic, IPSEC, vpn sessions, SYN, FIN, and RST packets. Traffic requiring scanning will be included in the packet capture.


After the packet captures are complete, please make sure to re-enable session offload:

> set session offload yes

The above command "set session offload no" is executed in operational mode and is not persistent: it will not survive a commit or a device reboot. If a manual commit is done, an auto-commit is triggered or if the device is rebooted, the session offload setting reverts back to default settings, which is the enabled state.


To make the settings persistent and survive a commit or reboot, we need to configure it from the configuration mode with the following command: 

> configure
# set deviceconfig setting session offload no
# commit


To revert the changes made from configuration mode, please execute the below commands,

> configure
# set deviceconfig setting session offload yes 
# commit

      OR
> configure
# delete deviceconfig setting session offload
# commit
 

Starting from PAN-OS 10.1, to avoid impacting overall system performance, offload can be selectively disabled for specific IP addresses and ports.

Instead of disabling session offload globally for all traffic, session offload can be disabled only for the specific filter defined in the packet capture.

Set the capture filter from GUI: Monitor > Packet capture > Manage Filters > Enter the filter and switch the Filtering button to ON.

Execute the following command to disable offload only for the filtered sessions:

> debug dataplane packet-diag set filter offload no
After the capture is taken, run the command below to enable session offload back again:
> debug dataplane packet-diag set filter offload yes


Additional Information


  • Offloading is supported on PA-2000, PA-3050, PA-3060, PA-3060, PA-4000, PA-5000, and PA-7000
  • To verify if session offload is back on run command show session info and look for "session offloading"
> show session info | match offloading
          Hardware session offloading:                   True
          Hardware UDP session offloading:               True

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldYCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language