Palo Alto Authorized Global Training Partner Logo

Firewall Training

Troubleshooting (EDU-330)

Palo Alto Networks Authorized Global Training Partner Logo

Award-winning live online course

Experienced Instructors

Virtual Labs Access

Video Recordings

Get a taste for the course by watching the video in this blog post where one of our instructors teaches a sample module on Demystifying the FireWall Flow Logic.


The “Firewall Troubleshooting” (EDU-330) course covers the following content:

Tools and Resources

Troubleshooting Enablement


Basic Troubleshooting Methodologies


Options for Information and Support


Status Monitoring Tools


Maintenance Mode


Lab – Tech Support Files

  • Validate the basic functionality of your lab environment
  • Use the web interface to get a Tech Support File
  • Decompress the Tech Support File
  • Explore the Tech Support File

Lab – Use the CLI to Export a Tech Support File Lab

  • Use the CLI to generate a Tech Support File
  • Use the CLI to export a Tech Support File
  • Validate the exported Tech Support File

CLI Primer

Scope and Structure of the CLI

  • Operational vs Configuration Mode
  • Network discovery use case
  • Configuration Mode
  • Data Displayed Through less
  • Syntax and feedback for invalid commands

Displaying and navigating command output


Using the CLI as a troubleshooting tool


Lab – CLI Fundamentals

  • Import, Load, and Commit a Configuration File
  • Confirm the Current Device Configuration
  • Explore Options for Changing Other Device Settings
  • Change the Current Device Setting

Lab – Use the CLI to Modify Policy Objects

  • Review the Existing Policy Configuration
  • Examine a Configuration and Discover Options for How to Modify It
  • Modify Object Parameters
  • Review Changes and Commit the Configuration
  • Test URL Filtering Profile Changes

Flow Logic

Session Flow and App-ID


Flow Logic Overview


TCP Sessions and States


Flow Logic Details

  • Key terms
  • Data flows per processing stage

Lab – Tracing Packet Flow

  • Open an existing packet-diagnostics file
  • Trace the first packet through the firewall
  • Trace the second packet
  • Trace the content inspection of a packet
  • Identify firewall-generated packets
  • Identify dropped packets and the session end

Packet Captures

Packet Capture Concepts


Configuring Packet Captures

  • Using the web interface
  • Using the CLI


  • Test baseline functionality
  • Configure a packet filter
  • Test session marking
  • Configure capture stages
  • Turn on packet capture and capture packets
  • Analyze the pcaps
  • Add a Security policy configuration to drop traffic
  • Reconfigure the filter
  • Capture and analyze the pcaps

Packet-Diagnostics Logs

Debug-level Diagnostic Log Features


Usage Best Practices


Interpreting flow-basic output


Hardware assistance and offloading



  • Start-up and verify external connectivity to the FTP server
  • Verify the problem with the internal client
  • Examine firewall Traffic logs and Threat logs
  • Configure the packet filter
  • Check global counters
  • Configure and run packet capture and flow basic
  • Interpret the flow-basic log and pcaps
  • Implement a solution and verify it
  • Check logs and enable logging for increased visibility

Transit Traffic

Troubleshoot Transit Traffic

  • Re-create the issue
  • Discover the network – check interface IPs, routing, ARP
  • Traffic logs
  • Session table
  • Set filter and check global counter
  • Debug flow basic and packet captures

Lab – App-ID and Torrents

  • Apply a baseline configuration to the firewall
  • Torrent sites
  • Traffic log: Application data
  • Enable traffic
  • Test policy rule “deny”
  • Policy rule to block torrents
  • Add a File Blocking Profile

Lab – Blocking Tor

  • Lab challenge and checklist
  • Solution: Security policy to block Tor App-ID
  • Solution: Use application filters
  • Solution: Block risky URL categories
  • Solution: Deny unknown applications
  • Solution: Block untrusted and expired certificates with a Decryption Profile
  • Solution: Turn on SSL decryption
  • Solution: Implement an External Dynamic List (EDL)

Host-inbound Traffic

Host-Inbound Traffic


Management Services


Lab – Host-Inbound Traffic NTP Example 

  • Apply a baseline configuration to the firewall
  • Review the System log
  • Use CLI commands to get more information
  • Use tcpdump to capture packets
  • Diagnose the problem
  • Questions for discussion

IPSEC VPN Troubleshooting

VPN Concept


VPN Troubleshooting


Lab – VPN Traffic Case A 

  • Review the network topology and verify the problem
  • Check routing and security policy rules
  • Change strategy: Try a top-down approach instead
  • Check the health of the VPN tunnel
  • Initiate VPN connection from the remote network
  • Troubleshoot as the responder
  • Check proxy ID settings and correct the problem

Lab – VPN Traffic Case B

  • Verify a problem with SFTP access to a web server
  • Review the Traffic logs and System logs
  • Check the high-level health indicators for the tunnel
  • Troubleshoot as the responder
  • Fix the problem and verify functionality

System Services

Identifying performance issues


Baseline service performance


Performance Troubleshooting use cases


System Services Daemons


Gathering more data



  • Check running services
  • Review the logs for a specific service
  • Change the debug log level for a service
  • Restart a service
  • Restart a service and monitor a data-plane session
  • Investigate the event

Certificate Management and SSL Decryption Troubleshooting

Verify that SSL decryption is applied via certificate chain


Accessing site via its IP vs FQDN


Intermediate CA missing

  • SSL Labs
  • Session end reason
  • Show session flag | count yes
  • Show counter global filter category proxy

Exclude URLs / certificates without pinching holes into the FireWall


Client authentication and SSL Decryption Exclusion


External factors that complicate SSL decryption



  • Apply a baseline configuration to the firewall
  • Verify the functionality of SSL decryption
  • Create a tag and a dynamic address group
  • Create a Decryption policy rule
  • Create custom Vulnerability signatures
  • Configure a Log Forwarding profile
  • Configure a Vulnerability Protection profile to generate alerts
  • Add the Log Forwarding profile to a Security policy rule
  • Test the configuration and confirm results


User-ID Mapping Flow


User-ID Troubleshooting

  • Recreate the issue, no users showing log
  • System log, verify and fix user mapping issue
  • show user ip-user-mapping all
  • Event log
  • Verify ldap connectivity
  • Show user user-ids match-user xxx
  • Verify group mapping in security policy incl. ldap browser
  • Verify group users matches IP user


  • Apply a baseline configuration to the firewall
  • Diagnose and fix the problem
  • Review reference information
  • Solution: Enable User-ID on the correct zone
  • Solution: Fix the LDAP Server Profile
  • Solution: Fix the Authentication Profile Server type
  • Solution: Add the correct IP for server monitoring


Connection Sequence


GlobalProtect Troubleshooting

  • system log – check and fix group mapping
  • Verify certificate
  • Check internal host detection
  • Review support file


  • Apply a baseline configuration
  • Download the GlobalProtect agent
  • Connect to the external gateway
  • Disconnect the connected user
  • Advanced scenario: Pre-logon and certificates

Escalation and RMAs

Case management


Hardware failure and return merchandise authorizations (RMAs)


Escalation and support events

Palo Alto Training Excellence Award
Palo Alto Networks Online Training

Experience & Passion

The difference is made by our instructors who have many years of field experience which they bring with them into the classroom

Palo Alto Authorized Global Training Partner Logo

“All of my guys enjoyed and valued this course to the maximum.
You will simply love it”

Kamil Golombek at PWC

Kamil Golombek

NIS Cyber Defence Security Perimeter EMEA