Disabling Session Offload to Record Traffic During Packet Capture
130420
Created On 09/25/18 19:48 PM - Last Modified 01/23/24 14:11 PM
Symptom
Packet captures in PAN-OS are performed strictly in the dataplane CPU on the firewall. During the ingress stage, the firewall performs packet parsing checks and any packets discarded at this step will not be included in the packet capture. Any traffic that is offloaded by the firewall will also not be included in the packet capture. Offloading means that traffic is offloaded to a hardware chip, for faster packet processing. Traffic such as encrypted traffic (SSL/SSH), network protocols (OSPF, BGP, RIP), application overrides, and terminating applications can be offloaded.
Environment
- Palo Alto Firewall
- PAN-OS 8.1 and above
Resolution
Additional Information
- Offloading is supported on PA-2000, PA-3050, PA-3060, PA-3060, PA-4000, PA-5000, and PA-7000
- To verify if session offload is back on run command show session info and look for "session offloading"
> show session info | match offloading Hardware session offloading: True Hardware UDP session offloading: True