Does enabling Packet Capture on Security Profiles degrade system peformance?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Does enabling Packet Capture on Security Profiles degrade system peformance?

L1 Bithead

Does enabling Packet Capture on Security Profiles degrade system peformance?

The client has 3 5050's, one placed at each of 3 different sites.  Are there any other costs or limitations assosicated with enabling this feature?  Is single-packet or extended-capture preferred?

Does Palo Alto have any best practices around this feature?

 

Thanks.

2 accepted solutions

Accepted Solutions

L5 Sessionator

Hi,

 

First, ask yourself about the aim for these pcap. Most of customer would like to enable pcap but they don't know what they will be able to do with 🙂

Enabling pcap, from my experience, have no impact on the palo. From disk space, by default, the max is 1% of you disk size.

Extended pcap, if configured, allow you to see more info and maybe to see if the attack is successfull or not.

refer this doc: https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-Extended-Packet-Capture/ta-p/53873

 

Pcap is enable by default on unknown-udp, unknown-tcp and insufficient-data.

 

Hope help.

 

V.

View solution in original post

Hi gentlemen,

 

Officially, packet capture will degrade performance when extensively used or when used with very wide filters (or without filters, argh). Do not go trigger happy on pcaps if you don't know what you will use them for 🙂 Enabling them as Vince described probably will not have (significant) impact onto your firewalls' performance. Allthough, if you see high MP CPU, you might consider disabling them, as that means that firewall is lagging in writing to the disk - than you want to be sure your logs are written even in the peak / surge situations, and leave pcaps for troubleshooting purposes.

Do NOT enable them on 2k or 4k chassis unless you are sure disk I/O is OK and acceptable, those have HDDs and not SSDs, they can take less logs per second.

 

Enabling pcaps on threats prevention profiles is a good practice because whenever you report false positive to Palo Alto Networks TAC they will ask you for pcap of at least the first packet, along with other information. If you enable them they'll be collected anyways, you will not have to replicate issue for reporting it.

 

Regards

View solution in original post

6 REPLIES 6

L5 Sessionator

Hi,

 

First, ask yourself about the aim for these pcap. Most of customer would like to enable pcap but they don't know what they will be able to do with 🙂

Enabling pcap, from my experience, have no impact on the palo. From disk space, by default, the max is 1% of you disk size.

Extended pcap, if configured, allow you to see more info and maybe to see if the attack is successfull or not.

refer this doc: https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-Extended-Packet-Capture/ta-p/53873

 

Pcap is enable by default on unknown-udp, unknown-tcp and insufficient-data.

 

Hope help.

 

V.

Thanks Vince!

Hi gentlemen,

 

Officially, packet capture will degrade performance when extensively used or when used with very wide filters (or without filters, argh). Do not go trigger happy on pcaps if you don't know what you will use them for 🙂 Enabling them as Vince described probably will not have (significant) impact onto your firewalls' performance. Allthough, if you see high MP CPU, you might consider disabling them, as that means that firewall is lagging in writing to the disk - than you want to be sure your logs are written even in the peak / surge situations, and leave pcaps for troubleshooting purposes.

Do NOT enable them on 2k or 4k chassis unless you are sure disk I/O is OK and acceptable, those have HDDs and not SSDs, they can take less logs per second.

 

Enabling pcaps on threats prevention profiles is a good practice because whenever you report false positive to Palo Alto Networks TAC they will ask you for pcap of at least the first packet, along with other information. If you enable them they'll be collected anyways, you will not have to replicate issue for reporting it.

 

Regards

Thanks!

Hi, is there a way to enable pcap on specific threat signatures only instead of the whole profile?

Hi, J.K.,

 

I am not aware of any practical way to do it. You could create exceptions for some threats but that would not except them only from getting pcap but also from receiving the action set in such rule (it would not be blocked, you would not get alert or no connection would be reset) so ... no, sorry, that's such an upractical overkill for a simple task.

 

For what it's worth, you can always collect all pcaps, and than occassionally use filter rule for threat logs to see only logs with pcaps, so you could  add threat IDs or names to build upon this filter and see on what days you have pcaps you want to keep:

( pcap_id neq 0 )

Once you found out what pcaps you WANT to keep out of all you have, note the dates they occured on, than proceed and delete directories for all other pcaps. You can use asterisk to partially replace date, in example below I deleted only pcaps from days of the month starting with 1* in Sept 2015:

luciano@PA-200> delete pcap directory 201509
  20150918   2015/09/19 00:59:52        4.0K
  20150919   2015/09/20 00:21:49        4.0K
  20150920   2015/09/21 01:55:55        4.0K
  20150921   2015/09/22 00:11:41        4.0K
  20150922   2015/09/22 23:29:07        4.0K
  20150923   2015/09/24 00:07:17       12.0K
  20150924   2015/09/24 23:45:41        4.0K
  20150925   2015/09/26 01:18:24        4.0K
  20150926   2015/09/26 10:03:44        4.0K
  20150927   2015/09/27 23:38:44        4.0K
  20150928   2015/09/28 21:50:09        4.0K
  20150929   2015/09/30 00:06:27        4.0K
  20150930   2015/10/01 00:04:34        4.0K
  <value>    Directory name
  <Enter>    Finish input

luciano@PA-200> delete pcap directory 2015091
  20150918   2015/09/19 00:59:52        4.0K
  20150919   2015/09/20 00:21:49        4.0K
  <value>    Directory name
  <Enter>    Finish input

luciano@PA-200> delete pcap directory 2015091*

successfully removed 2015091*
luciano@PA-200> delete pcap directory 2015091
  <value>  Directory name
  <Enter>  Finish input

luciano@PA-200> delete pcap directory 201509
  20150920   2015/09/21 01:55:55        4.0K
  20150921   2015/09/22 00:11:41        4.0K
  20150922   2015/09/22 23:29:07        4.0K

 

Not too much of a help with this footwork, but at this moment I can't figure out better or even any other way to keep pcaps you want but to still try to free some space on your device by deleting unneeded pcaps.

 

I was thinking it could be scripted out, perhaps, by reading logs from CLI and sorting this information out, but that's out of the scope of support offered from this community member 🙂 You can always request a feature through SE who is supporting your organisation, in the worst case.

 

Best regards,


Luciano

  • 2 accepted solutions
  • 5018 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!