Take a Threat Packet Capture

To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
  1. Enable the packet capture option in the security profile.
    Some security profiles allow you to define a single-packet capture or an extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.
    If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
    1. Select
      Objects
      Security Profiles
      and enable the packet capture option for the supported profiles as follows:
      • Antivirus
        —Select a custom antivirus profile and in the
        Antivirus
        tab select the
        Packet Capture
        check box.
      • Anti-Spyware
        —Select a custom Anti-Spyware profile, click the
        DNS Signatures
        tab and in the
        Packet Capture
        drop-down, select
        single-packet
        or
        extended-capture
        .
      • Vulnerability Protection
        —Select a custom Vulnerability Protection profile and in the
        Rules
        tab, click
        Add
        to add a new rule, or select an existing rule. Set
        Packet Capture
        to
        single-packet
        or
        extended-capture
        .
      If the profile has signature exceptions defined, click the
      Exceptions
      tab and in the
      Packet Capture
      column for a signature, set
      single-packet
      or
      extended-capture
      .
    2. (
      Optional
      ) If you selected
      extended-capture
      for any of the profiles, define the extended packet capture length.
      1. Select
        Device
        Setup
        Content-ID
        and edit the Content-ID Settings.
      2. In the
        Extended Packet Capture Length (packets)
        section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
      3. Click
        OK
        .
  2. Add the security profile (with packet capture enabled) to a Security Policy rule.
    1. Select
      Policies
      Security
      and select a rule.
    2. Select the
      Actions
      tab.
    3. In the Profile Settings section, select a profile that has packet capture enabled.
      For example, click the
      Antivirus
      drop-down and select a profile that has packet capture enabled.
  3. View/export the packet capture from the Threat logs.
    1. Select
      Monitor
      Logs
      Threat
      .
    2. In the log entry that you are interested in, click the green packet capture icon packet_capture_icon.png in the second column. View the packet capture directly or
      Export
      it to your system.
    packet_capture-threat-download.png

Recommended For You