- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-01-2010 01:33 PM
Hi All,
In an attempt to displace a SNORT environment, with a PAN implementation for monitoring ( at this stage only ),
we need to be able to replicate complete session captures for forensic's ( internal security, police etc ).
Although its possible to capture packets for false positive reasons, how would I go about storing ( most likly off the appliance )
packet captures so they can be reviewed as sessions?
Cheers,
SteveRPCAP
06-01-2010 03:21 PM
Hello Katana,
while you are able to do packet captures on specific applications and threats on the Paloalto device, those packet captures are limited to just the first couple of packets. I assume that is not what you are looking for.
We can do packet filters, but once again the size would be limited. These captures are primarily for troubleshooting. From what you have described it seems you would like a full dump of all packets for all sessions that come accross the Paloalto device. Currently do not do this. But that is why we have the traffic logs which are very detailed with session info. You can in turn have the traffic logs sent to a syslog server if you desire.
thanks,
Stephen
06-02-2010 07:43 PM
Will the traffic logs contain packet information though? Thats the key decider, as its needed for potential legal forensics.
06-03-2010 03:33 PM
If you are refering to the actual data in packets, then no.
Stephen
06-03-2010 05:38 PM
If this was for a specific instance, the device can do session captures but it is not something you would leave on for all traffic going through the device. It would be targeted at tracking specific, suspect flows in the network for a brief period of time. For full network recording, a dedicated capture product would be necessary.
08-10-2010 09:13 AM
What about session packet capture for specific regular expressions / templates in the data patterns filters. can I perform only this action?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!