Take a Threat Packet Capture
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Take a Threat Packet Capture
To configure the firewall to take a packet
capture (pcap) when it detects a threat, enable packet capture on
Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
Threats that are detected using the advanced Inline Cloud Analysis engines do not
generate packet capture data.
- Enable the packet capture option in the security profile.Some security profiles allow you to define a single-packet capture or an extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
- Select ObjectsSecurity Profiles and enable the packet capture option for the supported profiles as follows:
- Antivirus—Select a custom antivirus profile and in the Antivirus tab select the Packet Capture check box.
- Anti-Spyware—Select a custom Anti-Spyware profile, click Signature Policies, Signature Exceptions, or the DNS Policies tab and in the Packet Capture drop-down, select single-packet or extended-capture.Signature Policies packet captures apply to multiple signatures across a specified category or matching threat name, while Signature Exceptions packet captures apply to a specific signature.
- Vulnerability Protection—Select a custom Vulnerability Protection profile and in the Rules tab, click Add to add a new rule, or select an existing rule. Set Packet Capture to single-packet or extended-capture.
If the profile has signature exceptions defined, click the Exceptions tab and in the Packet Capture column for a signature, set single-packet or extended-capture.(Optional) If you selected extended-capture for any of the profiles, define the extended packet capture length.- Select DeviceSetupContent-ID and edit the Content-ID Settings.
- In the Extended Packet Capture Length (packets) section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
- Click OK.
Add the security profile (with packet capture enabled) to a Security Policy rule.- Select PoliciesSecurity and select a rule.Select the Actions tab.In the Profile Settings section, select a profile that has packet capture enabled.For example, click the Antivirus drop-down and select a profile that has packet capture enabled.View/export the packet capture from the Threat logs.
- Select MonitorLogsThreat.In the log entry that you are interested in, click the green packet capture icon