Complete session captures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Complete session captures

L3 Networker

Hi All,

In an attempt to displace a SNORT environment, with a PAN implementation for monitoring ( at this stage only ),

we need to be able to replicate complete session captures for forensic's ( internal security, police etc ).

Although its possible to capture packets for false positive reasons, how would I go about storing ( most likly off the appliance )

packet captures so they can be reviewed as sessions?

Cheers,

     SteveRPCAP

5 REPLIES 5

L4 Transporter

Hello Katana,

while you are able to do packet captures on specific applications and threats on the Paloalto device, those packet captures are limited to just the first couple of packets. I assume that is not what you are looking for.

We can do packet filters, but once again the size would be limited. These captures are primarily for troubleshooting. From what you have described it seems you would like a full dump of all packets for all sessions that come accross the Paloalto device. Currently do not do this. But that is why we have the traffic logs which are very detailed with session info. You can in turn have the traffic logs sent to a syslog server if you desire.

thanks,

Stephen

Will the traffic logs contain packet information though? Thats the key decider, as its needed for potential legal forensics.

If you are refering to the actual data in packets, then no.

Stephen

L4 Transporter

If this was for a specific instance, the device can do session captures but it is not something you would leave on for all traffic going through the device. It would be targeted at tracking specific, suspect flows in the network for a brief period of time. For full network recording, a dedicated capture product would be necessary.

What about session packet capture for specific regular expressions / templates in the data patterns filters. can I perform only this action?

  • 3824 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!