I've noticed a boatload of application-pcaps - between 5-15k, on days where they are captured. There are captures from most days, but not every day.
As far as I know, I don't have any traffic captures enabled. All of the following show that captures are disabled:
1. debug dataplane packet-diag show setting (capture and logs disabled on all dataplanes)
2. show running application setting (unknown capture and application capture are disabled)
3. debug ike pcap show (no ipsec config anyhow)
What else could be triggering these captures? Maybe they are used as a part of some firewall feature?
This is on PA-5060 running 6.0.5.
Where are you seeing these captures ? I think these might be getting captured due to one of the security profiles like for some of the threat pcap/extended pcap takes place.
I thought this was it, but nope - I disabled the AV profile packet capture yesterday, but there are thousands of new pcaps today:
admin@firewall(active-primary)> view-pcap application-pcap 20141217/
Display all 16625 possibilities? (y or n)
I've exported the device config and the Panorama config to grep through. All capture options are disabled in both places.
Are there conditions under which a device might capture packets anyhow?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!