To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
Take a Threat Packet Capture
Enable the packet capture option in the security profile.
Some security profiles allow you to define a single-packet capture, or extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.
The firewall can only capture packets if the action for a given threat is set to allow or alert.
Objects > Security Profiles
and enable the packet capture option for the supported profiles as follows:
—Select a custom antivirus profile and in the
tab select the
—Select a custom Anti-Spyware profile, click the
tab and in the
—Select a custom Vulnerability Protection profile and in the
to add a new rule, or select an existing rule. Set
extended-capture. Note that if the profile has signature exceptions defined, click the
tab and in the
column for a signature, set
(Optional) If you selected
for any of the profiles, define the extended packet capture length.
Device > Setup > Content-ID
and edit the Content-ID Settings.
Extended Packet Capture Length (packets)
section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
Add the security profile (with packet capture enabled) to a
Security Policy rule.
Policies > Security
and select a rule.
In the Profile Settings section, select a profile that has packet capture enabled.
For example, click the
drop-down and select a profile that has packet capture enabled.
View/export the packet capture from the Threat logs.
Monitor > Logs > Threat.
In the log entry that you are interested in, click the green packet capture icon
in the second column. View the packet capture directly or
it to your system.