https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31953#M23401 <HTML><HEAD></HEAD><BODY><P>If you are refering to the actual data in packets, then no.</P><P></P><P></P><P></P><P>Stephen</P></BODY></HTML> Thu, 03 Jun 2010 22:33:49 GMT swhyte 2010-06-03T22:33:49Z https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31950#M23398 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>In an attempt to displace a SNORT environment, with a PAN implementation for monitoring ( at this stage only ),</P><P>we need to be able to replicate complete session captures for forensic's ( internal security, police etc ).</P><P></P><P>Although its possible to capture packets for false positive reasons, how would I go about storing ( most likly off the appliance )</P><P>packet captures so they can be reviewed as sessions?</P><P></P><P>Cheers,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; SteveRPCAP</P></BODY></HTML> Tue, 01 Jun 2010 20:33:41 GMT https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31950#M23398 KatanaNZ 2010-06-01T20:33:41Z https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31951#M23399 <HTML><HEAD></HEAD><BODY><P>Hello Katana,</P><P>while you are able to do packet captures on specific applications and threats on the Paloalto device, those packet captures are limited to just the first couple of packets. I assume that is not what you are looking for.</P><P>We can do packet filters, but once again the size would be limited. These captures are primarily for troubleshooting. From what you have described it seems you would like a full dump of all packets for all sessions that come accross the Paloalto device. Currently do not do this. But that is why we have the traffic logs which are very detailed with session info. You can in turn have the traffic logs sent to a syslog server if you desire.</P><P></P><P></P><P></P><P>thanks,</P><P>Stephen</P></BODY></HTML> Tue, 01 Jun 2010 22:21:41 GMT https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31951#M23399 swhyte 2010-06-01T22:21:41Z https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31952#M23400 <HTML><HEAD></HEAD><BODY><P>Will the traffic logs contain packet information though? Thats the key decider, as its needed for potential legal forensics.</P></BODY></HTML> Thu, 03 Jun 2010 02:43:39 GMT https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31952#M23400 KatanaNZ 2010-06-03T02:43:39Z https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31953#M23401 <HTML><HEAD></HEAD><BODY><P>If you are refering to the actual data in packets, then no.</P><P></P><P></P><P></P><P>Stephen</P></BODY></HTML> Thu, 03 Jun 2010 22:33:49 GMT https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31953#M23401 swhyte 2010-06-03T22:33:49Z https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31954#M23402 <HTML><HEAD></HEAD><BODY><P>If this was for a specific instance, the device can do session captures but it is not something you would leave on for all traffic going through the device. It would be targeted at tracking specific, suspect flows in the network for a brief period of time. For full network recording, a dedicated capture product would be necessary.</P></BODY></HTML> Fri, 04 Jun 2010 00:38:19 GMT https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31954#M23402 mjacobsen 2010-06-04T00:38:19Z https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31955#M23403 <HTML><HEAD></HEAD><BODY><P>What about session packet capture for specific regular expressions / templates in the data patterns filters. can I perform only this action?</P></BODY></HTML> Tue, 10 Aug 2010 16:13:33 GMT https://live.paloaltonetworks.com/t5/general-topics/complete-session-captures/m-p/31955#M23403 alexs 2010-08-10T16:13:33Z