topic pcap best practices in General Topics

Does enabling Packet Capture on Security Profiles degrade system peformance?

vsolwazi — Thu, 27 Aug 2015 00:00:20 GMT

Does enabling Packet Capture on Security Profiles degrade system peformance?

The client has 3 5050's, one placed at each of 3 different sites. Are there any other costs or limitations assosicated with enabling this feature? Is single-packet or extended-capture preferred?

Does Palo Alto have any best practices around this feature?

Thanks.

Re: Does enabling Packet Capture on Security Profiles degrade system peformance?

VinceM — Thu, 27 Aug 2015 08:29:58 GMT

Hi,

First, ask yourself about the aim for these pcap. Most of customer would like to enable pcap but they don't know what they will be able to do with 🙂

Enabling pcap, from my experience, have no impact on the palo. From disk space, by default, the max is 1% of you disk size.

Extended pcap, if configured, allow you to see more info and maybe to see if the attack is successfull or not.

refer this doc: https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-Extended-Packet-Capture/ta-p/53873

Pcap is enable by default on unknown-udp, unknown-tcp and insufficient-data.

Hope help.

Re: Does enabling Packet Capture on Security Profiles degrade system peformance?

vsolwazi — Thu, 27 Aug 2015 17:36:53 GMT

Thanks Vince!

pcap best practices

Lucky — Thu, 27 Aug 2015 18:00:07 GMT

Hi gentlemen,

Officially, packet capture will degrade performance when extensively used or when used with very wide filters (or without filters, argh). Do not go trigger happy on pcaps if you don't know what you will use them for 🙂 Enabling them as Vince described probably will not have (significant) impact onto your firewalls' performance. Allthough, if you see high MP CPU, you might consider disabling them, as that means that firewall is lagging in writing to the disk - than you want to be sure your logs are written even in the peak / surge situations, and leave pcaps for troubleshooting purposes.

Do NOT enable them on 2k or 4k chassis unless you are sure disk I/O is OK and acceptable, those have HDDs and not SSDs, they can take less logs per second.

Enabling pcaps on threats prevention profiles is a good practice because whenever you report false positive to Palo Alto Networks TAC they will ask you for pcap of at least the first packet, along with other information. If you enable them they'll be collected anyways, you will not have to replicate issue for reporting it.

Regards

Re: pcap best practices

vsolwazi — Thu, 27 Aug 2015 18:02:40 GMT

Thanks!

Re: pcap best practices

jkreyes — Wed, 17 Feb 2016 07:01:58 GMT

Hi, is there a way to enable pcap on specific threat signatures only instead of the whole profile?

Re: pcap best practices

Lucky — Wed, 17 Feb 2016 22:07:47 GMT

Hi, J.K.,

I am not aware of any practical way to do it. You could create exceptions for some threats but that would not except them only from getting pcap but also from receiving the action set in such rule (it would not be blocked, you would not get alert or no connection would be reset) so ... no, sorry, that's such an upractical overkill for a simple task.

For what it's worth, you can always collect all pcaps, and than occassionally use filter rule for threat logs to see only logs with pcaps, so you could add threat IDs or names to build upon this filter and see on what days you have pcaps you want to keep:

( pcap_id neq 0 )

Once you found out what pcaps you WANT to keep out of all you have, note the dates they occured on, than proceed and delete directories for all other pcaps. You can use asterisk to partially replace date, in example below I deleted only pcaps from days of the month starting with 1* in Sept 2015:

luciano@PA-200> delete pcap directory 201509
  20150918   2015/09/19 00:59:52        4.0K
  20150919   2015/09/20 00:21:49        4.0K
  20150920   2015/09/21 01:55:55        4.0K
  20150921   2015/09/22 00:11:41        4.0K
  20150922   2015/09/22 23:29:07        4.0K
  20150923   2015/09/24 00:07:17       12.0K
  20150924   2015/09/24 23:45:41        4.0K
  20150925   2015/09/26 01:18:24        4.0K
  20150926   2015/09/26 10:03:44        4.0K
  20150927   2015/09/27 23:38:44        4.0K
  20150928   2015/09/28 21:50:09        4.0K
  20150929   2015/09/30 00:06:27        4.0K
  20150930   2015/10/01 00:04:34        4.0K
  <value>    Directory name
  <Enter>    Finish input

luciano@PA-200> delete pcap directory 2015091
  20150918   2015/09/19 00:59:52        4.0K
  20150919   2015/09/20 00:21:49        4.0K
  <value>    Directory name
  <Enter>    Finish input

luciano@PA-200> delete pcap directory 2015091*

successfully removed 2015091*
luciano@PA-200> delete pcap directory 2015091
  <value>  Directory name
  <Enter>  Finish input

luciano@PA-200> delete pcap directory 201509
  20150920   2015/09/21 01:55:55        4.0K
  20150921   2015/09/22 00:11:41        4.0K
  20150922   2015/09/22 23:29:07        4.0K

Not too much of a help with this footwork, but at this moment I can't figure out better or even any other way to keep pcaps you want but to still try to free some space on your device by deleting unneeded pcaps.

I was thinking it could be scripted out, perhaps, by reading logs from CLI and sorting this information out, but that's out of the scope of support offered from this community member 🙂 You can always request a feature through SE who is supporting your organisation, in the worst case.

Best regards,

Luciano