How to Configure Extended Packet Capture

How to Configure Extended Packet Capture

32517
Created On 09/25/18 17:15 PM - Last Modified 11/09/23 07:24 AM


Resolution


Overview

PAN-OS 6.0 introduced the ability to capture more than a single packet (up to 50) for threats that are logged on the Palo Alto Networks firewall.

Extended Packet Capture can be useful for:

  • Determining if an attack is successful
  • Learning more about the methods used by the attacker
  • Validating maliciousness of traffic with more context

Note: Extended Packet Capture is only available on Anti-Spyware and Vulnerability profiles.

 

Steps

  1. Go to Device > Setup > Content-ID and edit Threat Detection Settings.
  2. Configure the amount of packets you would like to capture (max. 50 Packets) :
    Screen Shot 2013-11-15 at 15.46.12.png
  3. Go to Objects > Security Profiles > Vulnerabilities Protection.
  4. Enable "extended-capture" mode for Packet Capture on a vulnerability protection profile:
    Screen Shot 2013-11-15 at 15.48.45.png

    Note: This screenshot shows how to create a policy that will collect extended captures for any vulnerability which is an example. You can edit your more granular policy and enable extended captures only for particular level of severity. If you need to enable extended captures for only one vulnerability, please read this article.
  5. Apply this profile on a Security Policy. It is also possible to change the logdb quota (max. 90% quota) for Extended Packet Capture:
    Screen Shot 2013-11-15 at 15.39.45.png

Important: If the "action" of the profile is set to block, only a single packet will be captured.

 

owner: rvanderveken
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEHCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language