In an attempt to displace a SNORT environment, with a PAN implementation for monitoring ( at this stage only ),
we need to be able to replicate complete session captures for forensic's ( internal security, police etc ).
Although its possible to capture packets for false positive reasons, how would I go about storing ( most likly off the appliance )
packet captures so they can be reviewed as sessions?
while you are able to do packet captures on specific applications and threats on the Paloalto device, those packet captures are limited to just the first couple of packets. I assume that is not what you are looking for.
We can do packet filters, but once again the size would be limited. These captures are primarily for troubleshooting. From what you have described it seems you would like a full dump of all packets for all sessions that come accross the Paloalto device. Currently do not do this. But that is why we have the traffic logs which are very detailed with session info. You can in turn have the traffic logs sent to a syslog server if you desire.
If this was for a specific instance, the device can do session captures but it is not something you would leave on for all traffic going through the device. It would be targeted at tracking specific, suspect flows in the network for a brief period of time. For full network recording, a dedicated capture product would be necessary.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!