>
    Take a Threat Packet Capture
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Monitoring
    4. Take Packet Captures
    5. Take a Threat Packet Capture
    Download PDF

    Take a Threat Packet Capture

    Table of Contents

    Take a Threat Packet Capture

    To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
    Threats that are detected using the advanced Inline Cloud Analysis engines do not generate packet capture data.
    1. Enable the packet capture option in the security profile.
      Some security profiles allow you to define a single-packet capture or an extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.
      If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
      1. Select ObjectsSecurity Profiles and enable the packet capture option for the supported profiles as follows:
        • Antivirus—Select a custom antivirus profile and in the Antivirus tab select the Packet Capture check box.
        • Anti-Spyware—Select a custom Anti-Spyware profile, click Signature Policies, Signature Exceptions, or the DNS Policies tab and in the Packet Capture drop-down, select single-packet or extended-capture.
          Signature Policies packet captures apply to multiple signatures across a specified category or matching threat name, while Signature Exceptions packet captures apply to a specific signature.
        • Vulnerability Protection—Select a custom Vulnerability Protection profile and in the Rules tab, click Add to add a new rule, or select an existing rule. Set Packet Capture to single-packet or extended-capture.
        If the profile has signature exceptions defined, click the Exceptions tab and in the Packet Capture column for a signature, set single-packet or extended-capture.
      2. (Optional) If you selected extended-capture for any of the profiles, define the extended packet capture length.
        1. Select DeviceSetupContent-ID and edit the Content-ID Settings.
        2. In the Extended Packet Capture Length (packets) section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
        3. Click OK.
    2. Add the security profile (with packet capture enabled) to a Security Policy rule.
      1. Select PoliciesSecurity and select a rule.
      2. Select the Actions tab.
      3. In the Profile Settings section, select a profile that has packet capture enabled.
        For example, click the Antivirus drop-down and select a profile that has packet capture enabled.
    3. View/export the packet capture from the Threat logs.
      1. Select MonitorLogsThreat.
      2. In the log entry that you are interested in, click the green packet capture icon
        in the second column. View the packet capture directly or Export it to your system.

    © 2024 Palo Alto Networks, Inc. All rights reserved.