Take a Threat Packet Capture
To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
- Enable the packet capture option in the security profile.Some security profiles allow you to define a single-packet capture, or extended-capture. If you choose extended-capture, define the capture length. This will allow the firewall to capture more packets to provide additional context related to the threat.If the action for a given threat is set to an action other than allow, the firewall captures only the packet(s) that match the threat signature.
- Selectand enable the packet capture option for the supported profiles as follows:ObjectsSecurity Profiles
If the profile has signature exceptions defined, click theExceptionstab and in thePacket Capturecolumn for a signature, setsingle-packetorextended-capture.
- Antivirus—Select a custom antivirus profile and in theAntivirustab select thePacket Capturecheck box.
- Anti-Spyware—Select a custom Anti-Spyware profile, click theDNS Signaturestab and in thePacket Capturedrop-down, selectsingle-packetorextended-capture.
- Vulnerability Protection—Select a custom Vulnerability Protection profile and in theRulestab, clickAddto add a new rule, or select an existing rule. SetPacket Capturetosingle-packetorextended-capture.
- (Optional) If you selectedextended-capturefor any of the profiles, define the extended packet capture length.
- Selectand edit the Content-ID Settings.DeviceSetupContent-ID
- In theExtended Packet Capture Length (packets)section, specify the number of packets that the firewall will capture (range is 1-50; default is 5).
- Add the security profile (with packet capture enabled) to a Security Policy rule.
- Selectand select a rule.PoliciesSecurity
- Select theActionstab.
- In the Profile Settings section, select a profile that has packet capture enabled.For example, click theAntivirusdrop-down and select a profile that has packet capture enabled.
- View/export the packet capture from the Threat logs.
- In the log entry that you are interested in, click the green packet capture icon in the second column. View the packet capture directly orExportit to your system.
Enable Threat Packet Capture
Enable Threat Packet Capture Objects > Security Profiles To enable the firewall to capture packets when it detects a threat, enable the packet capture option ...
Objects > Security Profiles > Vulnerability Protection
Objects > Security Profiles > Vulnerability Protection A Security policy rule can include specification of a Vulnerability Protection profile that determines the level of protection ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule to detect connections initiated by spyware and ...
Packet Capture Overview
Packet Capture Overview You can configure a Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture. Custom Packet Capture ...
Types of Packet Captures
Types of Packet Captures There are four different types of packet captures you can enable, depending on what you need to do: Custom Packet Capture ...
Configure DNS Sinkholing for a List of Custom Domains
Configure DNS Sinkholing for a List of Custom Domains To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic ...
Monitor > Packet Capture
Monitor > Packet Capture All Palo Alto Networks firewalls have a built-in packet capture (pcap) feature you can use to capture packets that traverse the ...
Create the Data Center Best Practice Vulnerability Protecti...
Protect your data center from attacks such as buffer overflows, illegal code execution, and other attempts to exploit vulnerabilities. ...
Building Blocks for a Custom Packet Capture
Building Blocks for a Custom Packet Capture The following table describes the components of the Monitor Packet Capture page that you use to configure packet ...