1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Monitoring
    5. Take Packet Captures
    6. Take a Threat Packet Capture

    Take a Threat Packet Capture

    To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
    1. Enable the packet capture option in the security profile.
      Some security profiles allow you to define a single-packet capture or an extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.
      If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
      1. Select
        Objects
        Security Profiles
         and enable the packet capture option for the supported profiles as follows:
        • Antivirus
          —Select a custom antivirus profile and in the
          Antivirus
           tab select the
          Packet Capture
           check box.
        • Anti-Spyware
          —Select a custom Anti-Spyware profile, click the
          DNS Signatures
           tab and in the
          Packet Capture
           drop-down, select
          single-packet
           or
          extended-capture
          .
        • Vulnerability Protection
          —Select a custom Vulnerability Protection profile and in the
          Rules
           tab, click
          Add
           to add a new rule, or select an existing rule. Set
          Packet Capture
           to
          single-packet
           or
          extended-capture
          .
        If the profile has signature exceptions defined, click the
        Exceptions
         tab and in the
        Packet Capture
         column for a signature, set
        single-packet
         or
        extended-capture
        .
      2. (
        Optional
        ) If you selected
        extended-capture
         for any of the profiles, define the extended packet capture length.
        1. Select
          Device
          Setup
          Content-ID
           and edit the Content-ID Settings.
        2. In the
          Extended Packet Capture Length (packets)
           section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
        3. Click
          OK
          .
    2. Add the security profile (with packet capture enabled) to a Security Policy rule.
      1. Select
        Policies
        Security
         and select a rule.
      2. Select the
        Actions
         tab.
      3. In the Profile Settings section, select a profile that has packet capture enabled.
        For example, click the
        Antivirus
         drop-down and select a profile that has packet capture enabled.
    3. View/export the packet capture from the Threat logs.
      1. Select
        Monitor
        Logs
        Threat
        .
      2. In the log entry that you are interested in, click the green packet capture icon packet_capture_icon.png in the second column. View the packet capture directly or
        Export
         it to your system.
      packet_capture-threat-download.png

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo