Purpose: Analyzing dropped return packets.

Check Drop Counters for Silent Drops

Use the CLI to identify silent drops that bypass logging:

show counter global filter delta yes | match drop

Look for counters like:

  • flow_pkt_status_tcp_timeout_receive: TCP session aged out due to inactivity.
  • flow_aged_out: Session expired (check session timers).
  • flow_deny_tcp_not_syn: Non-SYN packet in a new session (indicates state mismatch).
  • flow_deny_mismatch: NAT/zone/routing mismatch.
  • bp_drop, zone_defense_drop, or ip_fragment_drop: Zone protection or fragment drops.

Reference:
What is the significance of Global Counters?
Packet Flow Sequence in PAN-OS

Verify Session State

Check if the session is still active when return traffic arrives:

show session all filter source <source-ip> destination <dest-ip> port <port>
  • If the session is missing, it may have aged out prematurely.
  • Check the session timeout values (e.g., TCP idle timeout): show session-ttl

Reference:
How to View Active Session Information Using the CLI
Palo Alto Networks Firewall Session Overview

Check Zone Protection and DoS Policies

Zone Protection can silently drop packets:

show zone-protection

Look for tcp-reject or syn-cookie settings. Overly aggressive thresholds may drop legitimate traffic.

DoS Protection Profiles:
Verify if DoS policies are enabled for the zone and dropping return traffic.

Reference:
How to Verify if Zone Protection is Working

Asymmetric Routing or NAT Issues

Asymmetric Routing:

  • If return traffic takes a different path, the firewall drops it as “unknown session.”
  • If analyzing VPN traffic: Also check Proxy IDs
  • Confirm routing symmetry (use packet captures to verify).

NAT Misconfiguration: Check for NAT translation failures:

show running nat-policy
show session all filter nat

Double-Check Zones in NAT-Policy!

Packet Capture to Trace Return Traffic

Capture on the ingress interface for return traffic:

debug dataplane packet-diag set filter <name> destination <client-ip> port <client-port>
debug dataplane packet-diag enable filter <name>

Check if the return packet reaches the firewall:

show debug dataplane packet-diag log

If packets are captured but not forwarded, look for drops in the capture logs.

You may also use the web gui for capturing packets!

Debug Flow for Session Mismatch

Enable debug flow to trace the return packet processing:

debug flow basic
debug flow filter destination <client-ip> source <server-ip> port <client-port>

Reproduce the traffic and check:

show debug log

Look for messages like:

  • no session found (asymmetric routing or session aged out).
  • packet dropped, (mismatch) (NAT/zone mismatch).
  • dropped by zone protection.

Flow debugs have a performance impact. Disable after reproducing problem!

Check for Silent HA Drops (if HA is Configured)

In HA setups, session sync issues can cause silent drops:

show high-availability all
show counter global filter severity dropped | match ha

Look for ha2 sync errors or ha_session_pending_drops.

Enable Logging for Implicit Denies

  • If the drop is due to an implicit deny, enable logging for the default interzone/intrazone deny rules
  • Check Monitor > Logs > Traffic again for entries.