Applied Packet-Filters Not Capturing Post-NAT Traffic
0
Created On 03/30/19 02:17 AM - Last Modified 07/19/22 23:14 PM
Symptom
In certain cases, you may observe that when using packet capture with packet-filter, some packets are not seen on pcaps when there is NAT involved. In typical cases, one may assume that the device is not forwarding or receiving traffic.
Assuming the topology is as below:
Src A ---- (trust eth1/2) ---- FW (untrust eth1/1 IP B) ---- Server IP C (port c)
Src A is Source NATed to IP B on the firewall when reaching server IP C.
Packet-filter setting:
Id 1 – Source "IP A" and Destination "IP C"
Stages captured : rx(receive) and tx (transmit)
With above filter, we would see only rx but not tx. Which means post-src NAT traffic at tx is not captured.
Environment
Firewall running PAN-OS 7.1.11 or above.
Device with packet-filter enabled with packet-capture utility turned on.
Cause
In PAN-OS 7.1.11 and later, the filter was modified to run a strict check to exactly match the IP addresses configured on the filters. This results in post-NAT translated packets not captured if the packet-filters are just set to pre-NAT IPs.
Resolution
If you would like to capture end-to-end traffic, the filters need to have both pre- and post-NAT IPs configured.
How to run packet capture refer: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVoCAK