Device Security
Enable Packet Capture Collection
Table of Contents
Enable Packet Capture Collection
Authorize packet capture on firewalls for use by the Device Security Research Team.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following subscriptions:
|
Enable on-demand packet capture (pcap) to help Palo Alto Networks significantly
improve the accuracy and completeness of device identification and
application recognition (App-ID) within your environment. When
active, pcap collection allows our Device Security Research Team to securely
perform targeted, temporary packet captures on your NGFW.
Analyzing PCAPs helps us develop more precise identification signatures,
providing enhanced security protections for you.
How Packet Capture Works & Security Controls
Our Device Security Research Team initiates packet captures using the same
secure, remote channel established for firewall support and debugging.
Packet captures don't impact firewall performance and don't grant any ability
to modify your Security policy rules or controls. Packet capture collection
can’t be enabled in FedRAMP (moderate and high) environments or
tenants based in the China region.
We prioritize your data security and privacy. All pcap files are encrypted both
in transit and at rest. Furthermore, any personal information or
customer identifying information that might be inadvertently collected in the
packet capture will never leave your cloud region and will never be utilized
by our research team. All packet capture files are automatically deleted after
120 days. You can also disable pcap collection and request the deletion of
your data at any time by opening a support ticket.
For more information about the types of data that Device Security might
collect, see the IoT/OT Security Privacy Datasheet.
Enable On-Demand Packet Capture
For the Device Security Research Team to use pcap collection to collect
network traffic metadata, you must first enable telemetry on your firewalls,
install the OpenConfig plugin on your firewalls,
and then authorize packet capturing for your tenant from Device Security.
Depending on the version of PAN-OS that your firewalls are
running, they might already have the OpenConfig plugin installed.
To support packet capture on firewalls, they must be running:
- PAN-OS 10.2.10 or later 10.2 releases
- PAN-OS 11.1.0 or later
- Log in to PAN-OS and follow the steps to Enable Device Telemetry on your firewalls.For devices running PAN-OS 11.2.8 or later, telemetry is autoenabled.Follow the steps to install the OpenConfig plugin.If you already have the OpenConfig plugin installed, ensure that you are using OpenConfig plugin version 2.1.2 or later.
- Select and search for OpenConfig.Download version 2.1.2 or later and then Install it.Log in to Device Security with a user account with the right privileges to enable pcap collection.If you're using Device Security in Strata Cloud Manager, you need to have the superuser role.If you're using the Device Security standalone portal, the user account needs administrator or owner privileges.Tenants who onboarded to Device Security after August 7, 2025 have pcap collection enabled by default, except for FedRAMP and Device Security China tenants.Navigate to PCAP Collection.Strata Cloud Manager Select .Device Security Select .Select the check box to Enable PCAP collection for your tenant.If you want to deauthorize pcap collection, deselect the check box.
