Tips & Tricks: Enable Packet Captures on Security Profiles

Tips & Tricks: Enable Packet Captures on Security Profiles

28871
Created On 09/25/18 19:22 PM - Last Modified 06/07/23 18:15 PM


Resolution


fy16-tipstricks-lato.png

Today's Tips & Tricks is about enabling "Packet Capture" on Security Profiles.

 

One security feature that is sometimes overlooked by security professionals is the Packet Capture option inside of the Security Profiles. This option is intended to be available in the event you need to report any False Positive or to troubleshoot any other issue with the behavior of the Security Profiles. More specifically, Antivirus, Anti-Spyware and Vulnerability Protection profiles. Enabling this option captures the data that our inspection engine tags as a threat.

 

To enable the features go to Objects > Security Profiles on the WebGUI.

 

Antivirus Profile

tnt-2015-06-23-p1.png

Select the check box if you want to capture identified packets.

 

Anti-Spyware Profile

Inside DNS Signatures tab:

tnt-2015-06-23-p4.png

 

Vulnerability Protection Profile

Rules > Rule name:

tnt-2015-06-23-p5.png

tnt-2015-06-23-p6.png

Notice that Anti-Spyware and Vulnerability Protection have more options.

  • Disabled
  • Single Packet
    • Select single-packet to capture one packet when a threat is detected.
  • Extended-capture
    • Select the extended-capture option to capture more packets. Extended-capture will provides much more context to the threat when analyzing the threat logs or when providing the captures for TAC to analyze.

 

To define the number of packets that should be captured, navigate to Device > Setup > Content-ID and then edit the Threat Detection Settings section, as shown below:

tnt-2015-06-23-p3.png

Set the number of packets to capture when the extended-capture option is enabled in anti-spyware and vulnerability protection profiles. The range is 1-50, default is 5.

 

To view the packet capture, navigate to Monitor > Logs > Threat and locate the log entry you are interested in and then click the green down arrow in the second column. Packet captures will only occur if the action is allow or alert.

tnt-2015-06-23-p2.png

Note: If the block action is set, the session is ended immediately.

 

For all packet captures that you see inside of the Threat logs, you have an option to "Export" the captures. This will save the file locally on the client machine used to access the WebGUI.

 

As always, we welcome your comments and feedback. If you like what you see, please let us know. If you want specific topics please let me know.

 

Thanks for reading,

Joe Delio
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXCCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language