Take a Threat Packet Capture
To configure the firewall to take a packet
capture (pcap) when it detects a threat, enable packet capture on
Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
- Enable the packet capture option in the security profile.Some security profiles allow you to define a single-packet capture or an extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
- Selectand enable the packet capture option for the supported profiles as follows:ObjectsSecurity Profiles
- Antivirus—Select a custom antivirus profile and in theAntivirustab select thePacket Capturecheck box.
- Anti-Spyware—Select a custom Anti-Spyware profile, click theDNS Signaturestab and in thePacket Capturedrop-down, selectsingle-packetorextended-capture.
- Vulnerability Protection—Select a custom Vulnerability Protection profile and in theRulestab, clickAddto add a new rule, or select an existing rule. SetPacket Capturetosingle-packetorextended-capture.
If the profile has signature exceptions defined, click theExceptionstab and in thePacket Capturecolumn for a signature, setsingle-packetorextended-capture. - (Optional) If you selectedextended-capturefor any of the profiles, define the extended packet capture length.
- Selectand edit the Content-ID Settings.DeviceSetupContent-ID
- In theExtended Packet Capture Length (packets)section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
- ClickOK.
- Add the security profile (with packet capture enabled) to a Security Policy rule.
- Selectand select a rule.PoliciesSecurity
- Select theActionstab.
- In the Profile Settings section, select a profile that has packet capture enabled.For example, click theAntivirusdrop-down and select a profile that has packet capture enabled.
- View/export the packet capture from the Threat logs.
- Select.MonitorLogsThreat
- In the log entry that you are interested in, click the green packet capture icon
in the second column. View the packet capture directly or
Exportit to your system.
Recommended For You
Recommended Videos
Recommended videos not found.