Scribd
Upload
1K views6 pages

Basics of Traffic Monitor Filtering Knowledge Base Palo Alto Networks

Uploaded by

dezaxxl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views6 pages

Basics of Traffic Monitor Filtering Knowledge Base Palo Alto Networks

Uploaded by

dezaxxl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Customer Support Find answers  Sign In

Other users

Basics of Traffic Monitor Filtering also viewed:
Created On 09/25/18 19:02 PM - Last 210504
 Support Home
Updated 03/03/20 04:45 AM
 Resources Actions
TRAFFIC LOG DEVICE MANAGEMENT 8.1 7.1 9.0

PAN-OS
 Print
 Copy Link
Environment
Any PAN-OS.
Palo Alto Firewall. Attachments

Resolution
Choose
When Trying to search for a log with a source IP, destination IP or
any other flags, Filters can be used. The filters need to be put in Language
the search section under GUI: Monitor > Logs > Traffic (or other
logs). This document  demonstrates several methods of filtering English
and looking for specific types of traffic on Palo Alto Networks
firewalls. Categories of filters include  host, zone, port, or
date/time. At the end of the list, we include a  few  examples
that combine various filters for more comprehensive searching.

Host Traffic Filter Examples

1. From Host a.a.a.a

         ([Link] in a.a.a.a)
          example: ([Link] in [Link]) 
          Explanation: shows all traffic from host ip address
that matches [Link] ([Link] in a.a.a.a)
 

2. To Host b.b.b.b

         ([Link] in b.b.b.b)
         example: ([Link] in [Link]) 
                  Explanation: shows all traffic with a destination
address of a host that matches [Link]
 

3. From Host a.a.a.a to Host b.b.b.b

        ([Link] in a.a.a.a) and ([Link] in b.b.b.b)


        example: ([Link] in [Link]) and ([Link] in [Link])
        Explanation: shows all traffic coming from a host with
an IP  address of [Link] and going to a host destination
address of [Link]
 

Customer Support
4. To Host Range Find answers  Sign In

        Note that you cannot specify an actual range but can


use CIDR notation to specify a network range of addresses
        ([Link] in a.a.a.a/CIDR)
        example:  ([Link] in [Link]/30)
        Explanation:  shows all traffic coming from addresses
ranging from [Link] - [Link].
 

5. To or From Host a.a.a.a

        (addr in a.a.a.a)
        example: (addr in [Link]) 
                Explanation: shows all traffic with a source OR
destination address of a host that matches [Link]

Zone Traffic Filter Examples:


 
1. From Zone zone_a

        ([Link] eq zone_a)
        example: ([Link] eq PROTECT)
                Explanation: shows all traffic coming from the
PROTECT zone
 

2. To Zone zone_b

        ([Link] eq zone_b)
        example: ([Link] eq OUTSIDE)
        Explanation: shows all traffic going out the OUTSIDE
zone
 

3. From Zone zone_a to Zone zone_b

          ([Link] eq zone_a) and ([Link] eq zone_b)


          example: ([Link] eq PROTECT) and ([Link] eq
OUTSIDE)
                    Explanation: shows all traffic traveling from the
PROTECT zone and going out the OUTSIDE zone

Port Traffic Filter Examples:


 

1. From Port aa

          ([Link] eq aa)
          example: ([Link] eq 22)
          Explanation: shows all traffic traveling from source
port 22
 

2. To Port aa

          ([Link] eq bb)
          example: ([Link] eq 25)
          Explanation: shows all traffic traveling to destination
port 25
 

3. From Port aa TO Port bb


          ([Link] eq aa) and ([Link] eq bb)
          example: ([Link] eq 23459) and ([Link] eq 22)
Customer Support Find answers
          Explanation: shows all traffic traveling from source
 Sign In
port 23459 and traveling to destination port 22

4. From All Ports Less Than or Equal To Port aa

          ([Link] leq aa)


          example: ([Link] leq 22)
          Explanation: shows all traffic traveling from source
ports 1-22
 

5. From All Ports Greater Than Or Equal To Port aa

          ([Link] geq aa)


          example: ([Link] geq 1024)
          Explanation: shows all traffic traveling from source
ports 1024 - 65535
 

6. To All Ports Less Than Or Equal To Port aa

         ([Link] leq aa)


         example: ([Link] leq 1024)
         Explanation: shows all traffic traveling to destination
ports 1-1024
 

7. To All Ports Greater Than Or Equal To Port aa

          ([Link] geq aa)


          example: ([Link] geq 1024)
                    Explanation: shows all traffic traveling  to
destination ports 1024-65535
 

8. From Port Range aa Through bb

          ([Link] geq aa) and ([Link] leq bb)


          example: ([Link] geq 20) and ([Link] leq 53)
          Explanation: shows all traffic traveling from source
port range 20-53
 

9. To Port Range aa Through bb

          ([Link] geq aa) and ([Link] leq bb)


                    example: ([Link] geq 1024) and ([Link] leq
13002)
          Explanation: shows all traffic traveling to destination
ports 1024 - 13002

Date/Time Traffic Filter Examples:

1. All Traffic for a Specific Date yyyy/mm/dd And Time hh:mm:ss

         (receive_time eq 'yyyy/mm/dd hh:mm:ss')


         example: (receive_time eq '2015/08/31 [Link]')
                  Explanation: shows all traffic that was received on
August 31, 2015 at 8:30am
 
2. All Traffic Received On Or Before The Date yyyy/mm/dd And
Time hh:mm:ss
Customer Support Find answers  Sign In
          (receive_time leq 'yyyy/mm/dd hh:mm:ss')
          example: (receive_time leq '2015/08/31 [Link]')
          Explanation: shows all traffic that was received on or
before August 31, 2015 at 8:30am
 

3. All Traffic Received On Or After The Date yyyy/mm/dd And


Time hh:mm:ss

          (receive_time geq 'yyyy/mm/dd hh:mm:ss')


          example: (receive_time geq '2015/08/31 [Link]')
          Explanation: shows all traffic that was received on or
after August 31, 2015 at 8:30am

4. All Traffic Received Between The Date-Time Range


Of yyyy/mm/dd hh:mm:ss and YYYY/MM/DD HH:MM:SS

                  (receive_time geq 'yyyy/mm/dd hh:mm:ss') and


(receive_time leq 'YYYY/MM/DD HH:MM:SS')
         example: (receive_time geq '2015/08/30 [Link]')
and (receive_time leq '2015/08/31 [Link]')
                  Explanation: shows all traffic that was
received  between August 30, 2015 8:30am and August
31, 2015 01:25 am

Interface Traffic Filter Examples:

1. All Traffic Inbound On Interface ethernet1/x

          ([Link] eq 'ethernet1/x')
          example: ([Link] eq 'ethernet1/2')
          Explanation: shows all traffic that was received on
the PA Firewall interface Ethernet 1/2
 

2. All Traffic Outbound On Interface ethernet1/x

          ([Link] eq 'ethernet1/x')
          example: ([Link] eq 'ethernet1/5')
          Explanation: shows all traffic that was sent out on
the PA Firewall interface Ethernet 1/5

Allowed/Denied Traffic Filter Examples

1. All Traffic That Has Been Allowed By The Firewall Rules

         (action eq allow)
          OR
         (action neq deny)

example: (action eq allow)


Explanation: shows all traffic allowed by the firewall rules.
  Placing the letter 'n' in front of  'eq' means 'not equal to,'
so anything not equal to 'deny' is  displayed, which is any
allowed traffic.
 

2. All Traffic Denied By The FireWall Rules.


          (action eq deny)
          OR
Customer Support Find
         (action neq allow)
answers  Sign In

example: (action eq deny)


Explanation: shows all traffic denied by the firewall rules.
Placing the letter 'n' in front of 'eq' means 'not equal to,' so
anything not equal to 'allow' is  displayed, which is
any denied traffic.

Combining Traffic Filter Examples

1. All Traffic From Zone Outside And Network [Link]/24


TO Host Address [Link] In The Protect Zone:

          ([Link] eq OUTSIDE) and ([Link] in


[Link]/24) and ([Link] in [Link]) and
([Link] eq PROTECT)
 

2. All Traffic From Host [Link] to Host [Link] For The Time
Range 8/30/2015 -08/31/2015

          ([Link] in [Link]) and ([Link] in [Link]) and


(receive_time geq '2015/08/30 [Link]') and
(receive_time leq '2015/08/31 [Link]')
 

Additional Information
A good practice when drilling down into the traffic log when
the search starts off with little to no information, is to start
from least specific and add filters to more specific.
When troubleshooting, instead of directly filtering for a specific
app, try filtering  for all apps except the ones you know you
don't need, for example '(app neq dns) and (app neq ssh)'
You can also throw in protocols you don't need (proto neq
udp) or IP ranges ( [Link] notin [Link]/24 )
This practice helps you drill  down to the traffic of interest
without losing an overview by searching too narrowly from the
start.

Attachments

Company

About Palo Alto Networks

Careers

Legal Notices

Privacy

Terms of Use
Resources
Customer
Support
Support Find answers  Sign In

Live Community

Email Subscription

Beacon

© 2020 Palo Alto Networks, Inc. All rights reserved.

a51e12a918ebc5e13df4fa789ea5f12b206b9b88618b27aae24c669a71415fa9

You might also like