Palo Alto Firewall not only allows you to monitor activity on your network, but also is a useful troubleshooting tool. This article shows you how to monitor and troubleshoot related to Zone Traffic Filter.
Example 1: To shows all traffic coming from the GlobalProtect zone, use this command: ( zone.src eq GlobalProtect )
From the results, we can see source IP address, VPN username, Destination IP address, port, applications, action and Rule.
Example 2: To shows all traffic going out the AWS zone, use this command:
(zone.dst eq AWS).
The result shows from trust to AWS, source IP address, destination IP address, p[ort, application and rule.
Example 3: to shows all traffic traveling from the GlobalProtect zone and going out the DMZ zone use this command: ( zone.src eq GlobalProtect ) and ( zone.dst eq dmz )
Case 1: The client provides remote desktop access for their customers. Service dept reports some customers can’t access the remote server and would lie to know if their firewall blocks customers’ IP address.
Resolution: Run this command: ( zone.src eq untrust ) and ( action eq deny) and ( port.dst eq 3389 ). The result shows the firewall blocks only foreign countries IP addresses as shown next page.
Finally, they find the RDP server has a software called RDPGurad which blocks any failed login 3 times accounts. It is no thing to do with the firewall. The case closes.
please view step by step video: