>
    Strata Copilot
    Enable Packet Capture Collection
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Administration Guide
    4. Monitor Device Security Health
    5. Enable Packet Capture Collection
    Download PDF
    Device Security

    Enable Packet Capture Collection

    Table of Contents

    Enable Packet Capture Collection

    Authorize packet capture on firewalls for use by the Device Security Research Team.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    Enable on-demand packet capture (pcap) to help Palo Alto Networks significantly improve the accuracy and completeness of device identification and application recognition (App-ID) within your environment. When active, pcap collection allows our Device Security Research Team to securely perform targeted, temporary packet captures on your NGFW. Analyzing PCAPs helps us develop more precise identification signatures, providing enhanced security protections for you.

    How Packet Capture Works & Security Controls

    Our Device Security Research Team initiates packet captures using the same secure, remote channel established for firewall support and debugging. Packet captures don't impact firewall performance and don't grant any ability to modify your Security policy rules or controls. Packet capture collection can’t be enabled in FedRAMP (moderate and high) environments or tenants based in the China region.
    We prioritize your data security and privacy. All pcap files are encrypted both in transit and at rest. Furthermore, any personal information or customer identifying information that might be inadvertently collected in the packet capture will never leave your cloud region and will never be utilized by our research team. All packet capture files are automatically deleted after 120 days. You can also disable pcap collection and request the deletion of your data at any time by opening a support ticket.
    For more information about the types of data that Device Security might collect, see the IoT/OT Security Privacy Datasheet.

    Enable On-Demand Packet Capture

    For the Device Security Research Team to use pcap collection to collect network traffic metadata, you must first enable telemetry on your firewalls, install the OpenConfig plugin on your firewalls, and then authorize packet capturing for your tenant from Device Security. Depending on the version of PAN-OS that your firewalls are running, they might already have the OpenConfig plugin installed.
    To support packet capture on firewalls, they must be running:
    • PAN-OS 10.2.10 or later 10.2 releases
    • PAN-OS 11.1.0 or later
    1. Log in to PAN-OS and follow the steps to Enable Device Telemetry on your firewalls.
      For devices running PAN-OS 11.2.8 or later, telemetry is autoenabled.
    2. Follow the steps to install the OpenConfig plugin.
      If you already have the OpenConfig plugin installed, ensure that you are using OpenConfig plugin version 2.1.2 or later.
      1. Select DevicePlugins and search for OpenConfig.
      2. Download version 2.1.2 or later and then Install it.
    3. Log in to Device Security with a user account with the right privileges to enable pcap collection.
      If you're using Device Security in Strata Cloud Manager, you need to have the superuser role.
      If you're using the Device Security standalone portal, the user account needs administrator or owner privileges.
      Tenants who onboarded to Device Security after August 7, 2025 have pcap collection enabled by default, except for FedRAMP and Device Security China tenants.
    4. Navigate to PCAP Collection.
      Strata Cloud Manager Select AdministrationData Privacy SheetPCAP Collection.
      Legacy IoT Security Portal Select AdministrationAboutData PrivacyPCAP Collection.
    5. Select the check box to Enable PCAP collection for your tenant.
      If you want to deauthorize pcap collection, deselect the check box.

    © 2026 Palo Alto Networks, Inc. All rights reserved.