https://live.paloaltonetworks.com/t5/general-topics/unknown-application-packet-capture/m-p/34795#M25543 <HTML><HEAD></HEAD><BODY><P>The following doc explains about unknow apps</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-2007">https://live.paloaltonetworks.com/docs/DOC-2007</A></P><P>Also following document explains how to request an new application</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1879">https://live.paloaltonetworks.com/docs/DOC-1879</A></P><P>you can also create an app override for an application that is internal to your network and you know the port numbers</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1071">https://live.paloaltonetworks.com/docs/DOC-1071</A></P><P>Following doc explains what application override does</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1343">https://live.paloaltonetworks.com/docs/DOC-1343</A></P><P>Hope this helps.</P><P>Thanks</P></BODY></HTML> Tue, 06 Aug 2013 05:37:53 GMT mbutt 2013-08-06T05:37:53Z https://live.paloaltonetworks.com/t5/general-topics/unknown-application-packet-capture/m-p/34793#M25541 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I want know about Unknown packet capture.</P><P></P><P>Q1. Where is unknown pcap stored?</P><P> [Device] &gt; [Setup] &gt; [Management] &gt; [ Logging and Reporting Settings]</P><P> App Pkt Capture ?</P><P></P><P>Q2. I want know Unknown Pcap Usage.</P><P></P><P>Q3. When is capture unknown packet in PA packet flow?</P><P></P><P>Regards,</P></BODY></HTML> Mon, 05 Aug 2013 06:17:34 GMT https://live.paloaltonetworks.com/t5/general-topics/unknown-application-packet-capture/m-p/34793#M25541 smaekawa 2013-08-05T06:17:34Z https://live.paloaltonetworks.com/t5/general-topics/unknown-application-packet-capture/m-p/34794#M25542 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="text-decoration: underline;"><STRONG>Q1. Where is unknown pcap stored?<SPAN style="line-height: 1.5em;">[Device] &gt; [Setup] &gt; [Management] &gt; [ Logging and Reporting Settings]</SPAN>App Pkt Capture ?</STRONG></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="text-decoration: underline;"><STRONG><BR /></STRONG></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Application PCAPs are stored&nbsp; at the following path<STRONG> /opt/panlogs/session/pan/application/ </STRONG>.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">These&nbsp; PCAPs will appear in the traffic log as a little green arrow .</SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">You can use the&nbsp; CLI command <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><SPAN style="text-decoration: underline;"><STRONG>view-pcap</STRONG></SPAN><SPAN style="text-decoration: underline;"><STRONG> application-pcap</STRONG></SPAN><SPAN style="text-decoration: underline;"><STRONG> &lt;date&gt;/"</STRONG></SPAN>&nbsp;&nbsp; to view the Application pcaps</SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">[Device] &gt; [Setup] &gt; [Management] &gt; [ Logging and Reporting Settings] is where you can alter the Storage Quota for various logs and PCAPs </SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="text-decoration: underline;"><STRONG>Q2. I want know Unknown Pcap Usage.</STRONG></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Can be viewed using CLI command :</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">&gt; show system logdb-quota</P><P></P><P>Quotas:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; traffic: 32.00%, 38.060 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; threat: 16.00%, 19.030 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; system: 4.00%, 4.758 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; config: 4.00%, 4.758 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alarm: 3.00%, 3.568 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; trsum: 7.00%, 8.326 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hourlytrsum: 3.00%, 3.568 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dailytrsum: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; weeklytrsum: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; thsum: 2.00%, 2.379 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hourlythsum: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dailythsum: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; weeklythsum: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; appstat: 6.00%, 7.136 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; userid: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hipmatch: 3.00%, 3.568 GB</P><P>&nbsp;&nbsp; application-pcaps: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; threat-pcaps: 1.00%, 1.189 GB</P><P>&nbsp; debug-filter-pcaps: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hip-reports: 1.00%, 1.189 GB</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dlp-logs: 1.00%, 1.189 GB</P><P>Disk usage:</P><P>traffic: Logs: 59M, Index: 14M</P><P>threat: Logs: 42M, Index: 12M</P><P>system: Logs: 5.6M, Index: 904K</P><P>config: Logs: 17M, Index: 184K</P><P>alarm: Logs: 20K, Index: 20K</P><P>trsum: Logs: 86M, Index: 4.1M</P><P>hourlytrsum: Logs: 2.7M, Index: 1.5M</P><P>dailytrsum: Logs: 944K, Index: 1.4M</P><P>weeklytrsum: Logs: 468K, Index: 224K</P><P>thsum: Logs: 192K, Index: 192K</P><P>hourlythsum: Logs: 176K, Index: 176K</P><P>dailythsum: Logs: 168K, Index: 168K</P><P>weeklythsum: Logs: 32K, Index: 32K</P><P>appstatdb: Logs: 1.1M, Index: 852K</P><P>userid: Logs: 100K, Index: 52K</P><P>hipmatch: Logs: 20K, Index: 20K</P><P><EM><SPAN style="text-decoration: underline;"><STRONG>application-pcaps: 1.4M </STRONG></SPAN> &lt;&lt;====<STRONG>App PCAP usage</STRONG></EM></P><P>threat-pcaps: 4.0K</P><P>debug-filter-pcaps: 12K</P><P>dlp-logs: 4.0K</P><P>hip-reports: 1.1M</P><P>wildfire: 16K</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="text-decoration: underline;"><STRONG>Q3. When is capture unknown packet in PA packet flow?</STRONG></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="line-height: 1.5em;">When PA firewall is unable to identify the application using APP-ID ,the application will be termed as unknown (unknown/</SPAN>-tcp,unknown-udp,non-sysn-tcp).</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="line-height: 1.5em;"><BR /></SPAN></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><SPAN style="line-height: 1.5em;">Following Tech </SPAN>note will give you detailed Information about unknown apps and how to report them to Palto Alto.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><A __default_attr="2007" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P></BODY></HTML> Mon, 05 Aug 2013 07:28:19 GMT https://live.paloaltonetworks.com/t5/general-topics/unknown-application-packet-capture/m-p/34794#M25542 UhMayYeah 2013-08-05T07:28:19Z https://live.paloaltonetworks.com/t5/general-topics/unknown-application-packet-capture/m-p/34795#M25543 <HTML><HEAD></HEAD><BODY><P>The following doc explains about unknow apps</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-2007">https://live.paloaltonetworks.com/docs/DOC-2007</A></P><P>Also following document explains how to request an new application</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1879">https://live.paloaltonetworks.com/docs/DOC-1879</A></P><P>you can also create an app override for an application that is internal to your network and you know the port numbers</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1071">https://live.paloaltonetworks.com/docs/DOC-1071</A></P><P>Following doc explains what application override does</P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1343">https://live.paloaltonetworks.com/docs/DOC-1343</A></P><P>Hope this helps.</P><P>Thanks</P></BODY></HTML> Tue, 06 Aug 2013 05:37:53 GMT https://live.paloaltonetworks.com/t5/general-topics/unknown-application-packet-capture/m-p/34795#M25543 mbutt 2013-08-06T05:37:53Z