Palo Alto Firewall: Identifying System and Traffic Issues

This guide provides a comprehensive overview of using both the Web Interface and CLI tools to identify and troubleshoot system and traffic issues on Palo Alto Networks firewalls.

1. Web Interface Tools

1.1. Monitor Tab

Traffic Logs: View session logs including applications, users, source/destination IPs, and rule hits. Utilize filters to narrow down specific traffic patterns. Learn more
Threat Logs: Detect exploits, viruses, spyware, and URL filtering events.
System Logs: Monitor system-level events such as HA state changes and configuration changes.
ACC (Application Command Center): Provides a visual representation of traffic patterns, applications, and threats.

1.2. Dashboard

System Resources: Monitor CPU, memory usage, and session information.
Interface Statistics: View real-time statistics for each interface, including errors and discards.

2. CLI Tools

2.1. Basic Commands

show system info
show system resources
show session all
show interface all

2.2. Advanced Troubleshooting

debug dataplane packet-diag set filter match source  destination 
debug dataplane packet-diag set capture on
debug dataplane packet-diag aggregate-logs

2.3. Log Analysis

less mp-log syslog.log
less mp-log pan_log.log

3. Common Issues to Investigate

High CPU usage (Management/Data Plane)
Session drops or resets
High packet loss on interfaces
Unseen applications due to App-ID failure

4. Mermaid Flow Diagram: Packet Processing and Troubleshooting Steps

flowchart TD A[Start: Identify Issue] --> B{Source of Issue?} B -->|System| C[Check CPU/Memory: 'show system resources'] B -->|Traffic| D[Check Traffic Logs / ACC] C --> E[Look for resource spikes] D --> F[Find sessions with unexpected drop/reset] F --> G[Inspect session: 'show session all filter'] G --> H[Use packet capture if needed] H --> I[Analyze capture files via CLI or Web] I --> Z[Resolve or escalate]