If
the action for a given threat is allow, the firewall does not trigger
a Threat log and does not capture packets. If the action is alert,
you can set the packet capture to single-packet or extended-capture.
All blocking actions (drop, block, and reset actions) capture a single
packet. The content package on the device determines the default
action.