1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Monitoring
    5. Take Packet Captures
    6. Take a Threat Packet Capture

    Take a Threat Packet Capture

    To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
    1. Enable the packet capture option in the security profile.
      Some security profiles allow you to define a single-packet capture or an extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.
      If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
      1. Select
        Objects
        Security Profiles
         and enable the packet capture option for the supported profiles as follows:
        • Antivirus
          —Select a custom antivirus profile and in the
          Antivirus
           tab select the
          Packet Capture
           check box.
        • Anti-Spyware
          —Select a custom Anti-Spyware profile, click the
          DNS Signatures
           tab and in the
          Packet Capture
           drop-down, select
          single-packet
           or
          extended-capture
          .
        • Vulnerability Protection
          —Select a custom Vulnerability Protection profile and in the
          Rules
           tab, click
          Add
           to add a new rule, or select an existing rule. Set
          Packet Capture
           to
          single-packet
           or
          extended-capture
          .
        If the profile has signature exceptions defined, click the
        Exceptions
         tab and in the
        Packet Capture
         column for a signature, set
        single-packet
         or
        extended-capture
        .
      2. (
        Optional
        ) If you selected
        extended-capture
         for any of the profiles, define the extended packet capture length.
        1. Select
          Device
          Setup
          Content-ID
           and edit the Content-ID Settings.
        2. In the
          Extended Packet Capture Length (packets)
           section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
        3. Click
          OK
          .
    2. Add the security profile (with packet capture enabled) to a Security Policy rule.
      1. Select
        Policies
        Security
         and select a rule.
      2. Select the
        Actions
         tab.
      3. In the Profile Settings section, select a profile that has packet capture enabled.
        For example, click the
        Antivirus
         drop-down and select a profile that has packet capture enabled.
    3. View/export the packet capture from the Threat logs.
      1. Select
        Monitor
        Logs
        Threat
        .
      2. In the log entry that you are interested in, click the green packet capture icon in the second column. View the packet capture directly or
        Export
         it to your system.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo