https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7658#M5656 <HTML><HEAD></HEAD><BODY><P>There is a setting somewhere if unknown traffic should be captured or not by default.</P><P></P><P>The reason is to have a sample to send for analysis if needed (or investage on your own) - for example in order to create a custom appid (either on your own or by support from PaloAlto).</P><P></P><P>The packetcapture can also be setup for various IPS and (I think) AV signatures - same here to have a sample in case false positive occurs or such.</P></BODY></HTML> Mon, 04 Mar 2013 20:14:02 GMT mikand 2013-03-04T20:14:02Z https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7657#M5655 <HTML><HEAD></HEAD><BODY><P>Hello all,</P><P></P><P>We recently flattened our lab firewall and configured it as a tap firewall. It currently has only one security policy which is an allow all policy. The firewall currently has one zone and the only other non-standard default config is a handful of custom applications and application overrides.</P><P>What I did was set a filter in the traffic logs of "flags has pcap" and surprisingly to me, there were actual packet captures. The traffic consisted of unknown-tcp and udp, incomplete data and a couple of traceroutes. However, it doesn't capture packets for all of any one of those categories, which begs the question:</P><P>Why is the firewall capturing data from seemingly random traffic from the categories of unknown-tcp, unknown-udp, incomplete data and traceroute?</P><P></P><P>Thanks,</P><P>Ben</P></BODY></HTML> Mon, 04 Mar 2013 20:10:40 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7657#M5655 bgranholm 2013-03-04T20:10:40Z https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7658#M5656 <HTML><HEAD></HEAD><BODY><P>There is a setting somewhere if unknown traffic should be captured or not by default.</P><P></P><P>The reason is to have a sample to send for analysis if needed (or investage on your own) - for example in order to create a custom appid (either on your own or by support from PaloAlto).</P><P></P><P>The packetcapture can also be setup for various IPS and (I think) AV signatures - same here to have a sample in case false positive occurs or such.</P></BODY></HTML> Mon, 04 Mar 2013 20:14:02 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7658#M5656 mikand 2013-03-04T20:14:02Z https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7659#M5657 <HTML><HEAD></HEAD><BODY><P>I have combed the firewall for that setting and I am not finding it. I have default settings for the security profiles and I don't have them applied anywhere. Anyone else want to take a shot?</P></BODY></HTML> Mon, 04 Mar 2013 21:13:52 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7659#M5657 bgranholm 2013-03-04T21:13:52Z https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7660#M5658 <HTML><HEAD></HEAD><BODY><P>Please refer the following docs:-</P><P></P><P><A __default_attr="4734" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P><A __default_attr="2221" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P></BODY></HTML> Tue, 05 Mar 2013 03:04:32 GMT https://live.paloaltonetworks.com/t5/general-topics/what-is-the-reason-for-packet-capture/m-p/7660#M5658 sraghunandan 2013-03-05T03:04:32Z