Take a Threat Packet Capture
Focus
Focus

Take a Threat Packet Capture

Table of Contents

Take a Threat Packet Capture

To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
  1. Enable the packet capture option in the security profile.
    Some security profiles allow you to define a single-packet capture or an extended-capture. If you choose extended-capture, define the capture length. This allows the firewall to capture more packets and provide additional context related to the threat.
    If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
    1. Select
      Objects
      Security Profiles
      and enable the packet capture option for the supported profiles as follows:
      • Antivirus
        —Select a custom antivirus profile and in the
        Antivirus
        tab select the
        Packet Capture
        check box.
      • Anti-Spyware
        —Select a custom Anti-Spyware profile, click
        Rules
        ,
        Exceptions
        , or the
        DNS Signatures
        tab and in the
        Packet Capture
        drop-down, select
        single-packet
        or
        extended-capture
        .
      • Vulnerability Protection
        —Select a custom Vulnerability Protection profile and in the
        Rules
        tab, click
        Add
        to add a new rule, or select an existing rule. Set
        Packet Capture
        to
        single-packet
        or
        extended-capture
        .
      If the profile has signature exceptions defined, click the
      Exceptions
      tab and in the
      Packet Capture
      column for a signature, set
      single-packet
      or
      extended-capture
      .
    2. (
      Optional
      ) If you selected
      extended-capture
      for any of the profiles, define the extended packet capture length.
      1. Select
        Device
        Setup
        Content-ID
        and edit the Content-ID Settings.
      2. In the
        Extended Packet Capture Length (packets)
        section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
      3. Click
        OK
        .
  2. Add the security profile (with packet capture enabled) to a Security Policy rule.
    1. Select
      Policies
      Security
      and select a rule.
    2. Select the
      Actions
      tab.
    3. In the Profile Settings section, select a profile that has packet capture enabled.
      For example, click the
      Antivirus
      drop-down and select a profile that has packet capture enabled.
  3. View/export the packet capture from the Threat logs.
    1. Select
      Monitor
      Logs
      Threat
      .
    2. In the log entry that you are interested in, click the green packet capture icon in the second column. View the packet capture directly or
      Export
      it to your system.

Recommended For You