The following topics describe two ways that you can configure the firewall to take application packet captures:
Take a Packet Capture for Unknown Applications
Palo Alto Networks firewalls automatically generate a packet capture for sessions that contain an application that it cannot identify. Typically, the only applications that are classified as unknown traffic—tcp, udp or non-syn-tcp—are commercially available applications that do not yet have App-ID signatures, are internal or custom applications on your network, or potential threats. You can use these packet captures to gather more context related to the unknown application or use the information to analyze the traffic for potential threats. You can also Manage Custom or Unknown Applications by controlling them through security policy or by writing a custom application signature and creating a security rule based on the custom signature. If the application is a commercial application, you can submit the packet capture to Palo Alto Networks to have an App-ID signature created.
Identify Unknown Applications in Traffic Logs and View Packet Captures
Verify that unknown application packet capture is enabled. This option is on by default. To view the unknown application capture setting, run the following CLI command: admin@PA-200> show running application setting | match “Unknown capture” If the unknown capture setting option is off, enable it: admin@PA-200> set application dump-unknown yes
Locate unknown application by filtering the traffic logs. Select Monitor > Logs > Traffic. Click Add Filter and select the filters as shown in the following example.
Click Add and Apply Filter.
Click the packet capture icon to view the packet capture or Export it to your local system.
Take a Custom Application Packet Capture
You can configure a Palo Alto Networks firewall to take a packet capture based on an application name and filters that you define. You can then use the packet capture to troubleshoot issues with controlling an application. When configuring an application packet capture, you must use the application name defined in the App-ID database. You can view a list of all App-ID applications using Applipedia or from the web interface on the firewall in Objects > Applications.
Take a Custom Application Packet Capture
Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
Turn on the application packet capture and define filters. admin@PA-200> set application dump on application < application-name > rule < rule-name> For example, to capture packets for the facebook-base application that matches the security rule named rule1, run the following CLI command: admin@PA-200> set application dump on application facebook-base rule rule1 You can also apply other filters, such as source IP address and destination IP address.
View the output of the packet capture settings to ensure that the correct filters are applied. The output appears after enabling the packet capture. In the following output, you see that application filtering is now on based on the facebook-base application for traffic that matches rule1. A pplication setting: Application cache : yes Supernode : yes Heuristics : yes Cache Threshold : 16 Bypass when exceeds queue limit: no Traceroute appid : yes Traceroute TTL threshold : 30 Use cache for appid : no Unknown capture : on Max. unknown sessions : 5000 Current unknown sessions : 0 Application capture : on Max. application sessions : 5000 Current application sessions : 0 Application filter setting: Rule : rule1 From : any To : any Source : any Destination : any Protocol : any Source Port : any Dest. Port : any Application : facebook-base Current APPID Signature Signature Usage : 21 MB (Max. 32 MB) TCP 1 C2S : 15503 states TCP 1 S2C : 5070 states TCP 2 C2S : 2426 states TCP 2 S2C : 702 states UDP 1 C2S : 11379 states UDP 1 S2C : 2967 states UDP 2 C2S : 755 states UDP 2 S2C : 224 states
Access from a web browser to generate Facebook traffic and then turn off application packet capture by running the following CLI command: admin@PA-200> set application dump off
View/export the packet capture. Log in to the web interface on the firewall and select Monitor > Logs > Traffic. In the log entry that you are interested in, click the green packet capture icon in the second column. View the packet capture directly or Export it to your computer. The following screen capture shows the facebook-base packet capture.

Related Documentation