Best Practice Guide for Data Collection while opening a Palo Alto Networks support case for Firewall products

3579

Created On 07/02/21 03:35 AM - Last Modified 03/17/22 20:07 PM

PAN-OS

Environment

Firewall platform (physical or virtual).
Any PAN-OS.

Resolution

NOTE : Apply N/A wherever necessary

1. Issue Details

Q1. What is the nature of the issue? (e.g. traffic on custom port 1556 not working for some users)
Q2. Is the issue currently impacting business operations?
Q3. What confirmed indicators associated with the issue can be shared?
Q4. Is the issue observed for any specific application/protocol or is it observed for all applications/protocols?

2. Environment Specifics

Q5. Is this a new configuration/deployment or an existing one?
Q6. If existing, have any changes been made to the existing setup recently which could have caused this issue?
Q7. Is the issue observed in a particular environment? (eg. Prod Firewall but not on Dev Firewall)
Q8. Is the issue impacting one user, multiple users, a group of users or all users?
Q9. What is the machine model and OS version of affected users? (eg. MAC OS Catalina, version 10.15)
Q10. What is the affected device model and OS version? (eg. PA-3220 running PAN-OS version 9.0.12)

3. Timeline Details

Share the following details in accordance with the device or platform's time zone.
E.g. If device is running in AEST timezone, the following details should be shared in AEST.

Q11. What is the timezone set on the Firewall? (eg. UTC, AEST, PST etc.)
Q12. What is the exact date and time of the first time occurrence of this issue? (eg. Saturday, 3rd July, 8am AEST)
Q13. What is the exact date and time of the last time occurrence of this issue?
Q14. Is the issue intermittent or continuous in nature?
Q15. Does the issue occur at a particular duration or time frame of the day?
Q16. Is the issue still present or was it a one-time occurrence?

4. Topology Diagram

While a complete topology of the network or infrastructure is not required, it is important for us to understand the location of the device or platform in reference to the impacted host(s).
A Simple Line Diagram or Network Topology attached in the case can suffice or be replaced with concise written description of topology.

E.g. [Affected host] 192.168.1.10 -- [Switch] -- [Load Balancer] -- [Firewall] ---[ISP Switch] -- {Internet} -- 1.1.1.1 [Server]

5. Data from Device

I. Tech Support File (TSF)

Generate and Download the TSF of the affected device using the WebGUI or the CLI.
Upload the TSF in the support case for review.
How to Generate and Upload a Tech Support File Using the WebGUI and CLI

NOTE : Generate the latest TSF of the device after the issue occurrence.

II. Packet Captures

Attach any Packet Captures collected "during" the time of issue.
How to collect Packet Captures : Getting Started: Packet Capture

III. Global Counters

While Packet Captures help in capturing any Drops or otherwise on the device, Global Counters help in isolating the issue and highlighting the reason behind any drops, errors or warnings.
Most often, the following command output is sufficient to narrow down the issue.

> show counter global filter packet-filter yes delta yes
(Run this command 10 - 15 times within an interval of 1 second when the issue is occurring)

How to check global counters for a specific source and destination IP address

IV. GlobalProtect Client (If applicable)

How to Collect Logs from GlobalProtect Clients

6. Additional Information

Q17. Are there any 3rd Party elements or resources involved in this issue?
Q18. Are other parties already involved in or briefed on this issue?