Take a Packet Capture for Unknown Applications
Palo Alto Networks firewalls automatically generate a packet capture for sessions that contain an application that it cannot identify. Typically, the only applications that are classified as unknown traffic—tcp, udp or non-syn-tcp—are commercially available applications that do not yet have App-ID signatures, are internal or custom applications on your network, or potential threats. You can use these packet captures to gather more context related to the unknown application or use the information to analyze the traffic for potential threats. You can also Manage Custom or Unknown Applications by controlling them through security policy or by writing a custom application signature and creating a security rule based on the custom signature. If the application is a commercial application, you can submit the packet capture to Palo Alto Networks to have an App-ID signature created.
- Verify that unknown application packet capture
is enabled. This option is on by default.
- To view the unknown application capture
setting, run the following CLI command:
admin@PA-220>show running application setting | match “Unknown capture”
- If the unknown capture setting option is off, enable
admin@PA-220>set application dump-unknown yes
- To view the unknown application capture setting, run the following CLI command:
- Locate unknown application by filtering the traffic logs.
- Select MonitorLogsTraffic.
- Click Add Filter and select the filters as shown in the following example.
- Click Add and Apply Filter.
- Click the packet capture icon to view the packet capture or Export it to your local system.
Take a Custom Application Packet Capture
Take a Custom Application Packet Capture You can configure a Palo Alto Networks firewall to take a packet capture based on an application name and ...
Manage Custom or Unknown Applications
Manage Custom or Unknown Applications Palo Alto Networks provides weekly application updates to identify new App-ID signatures. By default, App-ID is always enabled on the ...
Take an Application Packet Capture
Take an Application Packet Capture The following topics describe two ways that you can configure the firewall to take application packet captures: Take a Packet ...
Create a Custom Application
Create a Custom Application To safely enable applications you must classify all traffic, across all ports, all the time. With App-ID, the only applications that ...
Types of Packet Captures
Types of Packet Captures There are different types of packet captures you can enable, depending on what you need to do: Custom Packet Capture —The ...
Take a Packet Capture on the Management Interface
Take a Packet Capture on the Management Interface The tcpdump CLI command enables you to capture packets that traverse the management interface (MGT) on a ...
Take a Threat Packet Capture
Take a Threat Packet Capture To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, ...
Packet Capture Overview
Packet Capture Overview You can configure a Palo Alto Networks firewall to perform a custom packet capture or a threat packet capture. Custom Packet Capture ...
Monitor > Packet Capture
Monitor > Packet Capture All Palo Alto Networks firewalls have a built-in packet capture (pcap) feature you can use to capture packets that traverse the ...