How to configure port monitoring / Port Mirroring / SPAN on Cisco Switch

As a network engineer you may come across situations which You need to analyze /monitor/ Troubleshoot network traffic passing through a specific port or VLAN.

This can be done by  Switched Port Analyzer (SPAN) .Once you configure SPAN it will  send a copy of the traffic from source port to another port(destination port) on the switch and the traffic can be monitored by connecting to a computer with a wireshark (or similar software) to the destination port and configure it to capture and analyse the traffic.


Ingress Traffic: Traffic that enters the switch
Egress Traffic: Traffic that leaves the switch
Source (SPAN) port: A port that is monitored
Source (SPAN) VLAN: A VLAN whose traffic is monitored
Destination (SPAN) port: A port that monitors source ports.


Source SPAN ports are monitored for received (RX - Ingress), transmitted (TX - Egress) or bidirectional (both) traffic.  Traffic entering or exiting the Source SPAN ports is mirrored to the Destination SPAN port.

In the below example we need to monitor traffic (send and recieve) coming to interface fastEthernet0/2 and this need to be copied to destionation interface fastEthernet0/5 for monitoring.Once we setup this, we can directly connect a laptop with a wireshark to  switch interface fastEthernet0/5 and monitor all the traffic sending and receiving on interface fastEthernet0/2

Switch-A# configure terminal
Switch-A(config)# monitor session 1 source interface fastEthernet0/2 
Switch-A(config)# monitor session 1 destination interface fastEthernet0/5
Switch-A(config)# exit

Confirming the monitoring session and operation requires one simple command, show monitor:

Switch-A# show monitor

Session 1
Type              : Local Session
Source Ports      :
Both          : Fa0/2
Destination Ports : Fa0/3
Encapsulation: Native
Ingress: Disabled

NOTE : show monitor session 1 detail can be used to see more details

NOTE : Once the port monitoring is activated no traffic is send OUT from destination Interface .It will only recieve the traffic copied from source interface .Also note that this setup do not affect the switching of network traffic on source ports.


Filtering logs in monitoring tab of Palo Alto

One of the best feature I loved in NGFW palo alto network is its search functionality .By default all log files are generated and stored locally on the firewall .

Filtering of traffic in monitor tab of paloalto helps us to find many things including
1.whether a traffic is getting allowed or denied
2.To filter traffic based on host, zone, port, action etc
3.To filter traffic between a specified time
4.Filter traffic from a particular user
5.Filter traffic to or from a specific IP /Network /Zone

In some cases we should have successfully created the policy in PaloAlto but we may forget to add the needed port in  that rule.When a user is complaining that he is not able to access a particular service in a  particular server we can easily figure out whats going on by reviewing the logs in monitoring tab of PaloAlto.

Login to PaloAlto and Goto Monitor > Traffic(left tab).There you can see the traffic flow .To change the automatic refresh interval, select an interval from the drop-down (1 min, 30 seconds, 10 seconds,or Manual).

To change the number of log entries per page, select the number of rows from the Rows drop-down

Select the Resolve Hostname check box to begin resolving external IP addresses to domain names.

To filter traffic from source 

1.Click on any IP in the source field
2.It will automatically add addr.src in x.x.x.x in the filter bar. eg (addr.src in 
3.Press ENTER.
4.It will show all the traffic generating from
5.Edit IP as per your need.

Some other examples

Destination Filter: (addr.dst in - shows all traffic with a destination address of a host that matches
Filter a source network : ( addr.src in ) - shows all traffic from network
Filter a destination network : (addr.dst in  - shows all traffic to network

Filter using Source and Destination

(addr.src in AND (addr.dst in - shows all traffic coming from a host with an IP address of and going to a host destination address of

Filter for source OR destination

(addr in - Shows all traffic with a source OR destination address of a host that matches

Zone Traffic Filter Examples 


(zone.src eq TRUST) - shows all traffic coming from the TRUST zone


(zone.dst eq UNTRUST) - shows all traffic going out the UNTRUST zone

(zone.src eq TRUST) and (zone.dst eq UNTRUST) - shows all traffic traveling from the TRUST zone and going out the through UNTRUST

PORT Traffic Filter Examples


(port.src eq 22)- shows all traffic traveling from source port 22


(port.dst eq 80)- shows all traffic traveling to destination port 80

Allowed/Denied Traffic Filter Examples 


(action eq allow) 
(action neq deny)

Example: (action eq allow)- Shows all traffic allowed by the firewall rules.

NOTE: Placing the letter 'n' in front of 'eq' means 'not equal to,' so anything not equal to 'deny' is displayed, which is any allowed traffic.


(action eq deny)
(action neq allow)

Example: (action eq deny) - Shows all traffic denied by the firewall rules.

NOTE: Placing the letter 'n' in front of 'eq' means 'not equal to,' so anything not equal to 'allow' is displayed, which is any denied traffic.

TRAFFIC from a particular user

(user.src eq 'Sysnet\Shabeer') - Shows traffic from that particular user [Sysnet is domain and shabeer is username]

Combining Traffic Filter Examples

Show denied traffic from SOURCE 

(addr.src in ) and (action eq deny)


(addr.src in and (addr.dst in and (port.dst eq 80) and (action eq allow)


(zone.src eq DEVELOPMENT) and (addr.src in and (addr.dst in and (zone.dst eq SECURITY) 

NOTE : You don't need to remember any of the filters mentioned above.Its very simple to create even complex filters .You can simply click the needed criteria on the logs and it will automatically add to the filtering.You just need to edit the particular zone/IP address/Port number or Action

For example
Below screenshot shows traffic from user plano2003\csharma. If you want to search custom user all you need to do is to
1. Click on any user below "Source user"  here it is (user.src eq 'plano2003\csharma')
2.Then it will add(user.src eq 'plano2003\csharma') to the filter bar. edit it with your custom username
1.To create a filter go to Monitor > Traffic
2. Just CLICK on the custom field you need to make a filter ie click on any field under From Zone / To Zone / Source / Source user / Destination / To port / Application / Action .In the above example we create filter using source user
3.Edit the IP/ZONE/PORT/ACTION as per your need
4..Press ENTER and it will show the custom traffic you need to see.

Palo Alto Network NGFW Architecture

Next Generation firewalls does much more duties than a legacy firewalls which  lncludes firewall policy, URL Filtering, IPS, Antivirus,Anti-spyware,file blocking,wildfire etc. .This results in  consuming a lot of Firewall hardware resources like CPU consumption, or memory utilization.

To overcome such situations Palo Alto Networks next-generation firewalls are build based on a unique Single Pass Parallel Processing (SP3) Architecture .This combines two components:
  • Single Pass software
  • Parallel Processing hardware

The SP3 architecture is a unique approach to hardware and software integration that simplifies management, streamlines processing and maximizes performance

The combination of Single Pass software and Parallel Processing hardware is completely unique in network security, and enables Palo Alto Networks next-generation firewalls to restore visibility and control to enterprise networks at very high levels of performance.

The Control Plane has its own dual core processor, RAM, and hard drive. This processor is responsible for tasks such as management Ul, configuration, logging, and reporting.

The Data Plane contains three types of processors :
  • Signature Match Processor: Performs vulnerability and virus detection
  • Security Processors: Multi-core processors, which handle security tasks such as SSL decryption
  • Network Processor: Responsible for routing, NAT, and network layer communication

How packet flow in Palo Alto Firewall?


Initial Packet Processing —-> Security Pre-Policy —-> Application —-> Security Policy —-> Post Policy Processing



How to view the details of Threats / attacks in PaloAlto Firewall

In PaloAlto, by default all log files are generated and stored locally on the firewall 

To view the details of Threats Goto Monitor tab > Threats

Each entry includes the date and time, a threat name or URL, the source and destination zones, addresses, and ports, the application name,and the alarm action (allow or block) and severity.

Threat tab Displays an entry when traffic matches a Security Profile (Antivirus, Anti-Spyware,Vulnerability, URL Filtering, File Blocking, Data Filtering, or DoS Protection) that is attached to a security rule on the firewall. 

The Type column indicates the type of threat, such as “virus” or “spyware.” The Name column is the threat description or URL

To view all the traffic from attackers IP .Go to Monitor tab > Traffic and in filter bar give the attackers IP as source address in the format (addr.src in and press ENTER. It will show all the traffic from that IP.


General settings in PaloAlto Firewall

Setup Hostname and Login Banner.

1. Select Device > Setup > Management and edit the General Settings.
2. Enter a Hostname for the firewall and enter your network Domain name. The domain name is just a label; it will not be used to join the domain.
3. Enter Login Banner text that informs users who are attempting to log in that they are that they must have authorization to access the firewall management functions.

Setup DNS

Select Device > Setup > Services.
1. On the Services tab, Enter Primary and secondary DNS
2. For Update Server, enter the IP address or host name of the server from which to download updates from Palo Alto Networks. The current value is Do not change the Update Server unless instructed by Technical Support.

NOTE : You must manually configure at least one DNS server on the firewall or it will not be able to resolve hostnames; it will not use DNS server settings from another source, such as an ISP.

Setup a secure password for the admin account.

1. Select Device > Administrators.
2. Select the admin role.
3. Enter the current default password and the new password.
4. Click OK to save your settings.

 Service Route Configuration

By default, the firewall uses management interface to communicate to various servers including DNS, Email, Palo Alto Updates, User-ID agent, Syslog, Panorama  etc. Service routes are used so that the communication between the firewall and servers go through the dataplane.

 To change this Go to Device > Setup > Services > Service Route Configuration and configure the appropriate service routes

As always dont forget to COMMIT the changes

Reboot or Shutdown PAN device

Go to Device > Setup >Operations>Device Operations
From here you can reboot or shutdown PAN device