Focus

Take a Threat Packet Capture

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Take a Custom Packet Capture

Take an Application Packet Capture

Take a Threat Packet Capture

To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.

Enable the packet capture option in the security profile.

Some security profiles allow you to define a single-packet capture or an extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.

If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.

Select

Objects

Security Profiles

and enable the packet capture option for the supported profiles as follows:

Antivirus

—Select a custom antivirus profile and in the

Antivirus

tab select the

Packet Capture

check box.

Anti-Spyware

—Select a custom Anti-Spyware profile, click the

DNS Signatures

tab and in the

Packet Capture

drop-down, select

single-packet

extended-capture

Vulnerability Protection

—Select a custom Vulnerability Protection profile and in the

Rules

tab, click

Add

to add a new rule, or select an existing rule. Set

Packet Capture

single-packet

extended-capture

If the profile has signature exceptions defined, click the

Exceptions

tab and in the

Packet Capture

column for a signature, set

single-packet

extended-capture

(Optional) If you selected

extended-capture

for any of the profiles, define the extended packet capture length.

Select

Device

Setup

Content-ID

and edit the Content-ID Settings.

In the

Extended Packet Capture Length (packets)

section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).

Click

Add the security profile (with packet capture enabled) to a Security Policy rule.

Select

Policies

Security

and select a rule.

Select the

Actions

tab.

In the Profile Settings section, select a profile that has packet capture enabled.

For example, click the

Antivirus

drop-down and select a profile that has packet capture enabled.

View/export the packet capture from the Threat logs.

Select

Monitor

Logs

Threat

In the log entry that you are interested in, click the green packet capture icon

in the second column. View the packet capture directly or

Export

it to your system.

Take a Custom Packet Capture

Take an Application Packet Capture

Next-Generation Firewall Docs

Take a Threat Packet Capture

Next-Generation Firewall Docs

Take a Threat Packet Capture

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner