08-04-2013 11:17 PM
Hi
I want know about Unknown packet capture.
Q1. Where is unknown pcap stored?
[Device] > [Setup] > [Management] > [ Logging and Reporting Settings]
App Pkt Capture ?
Q2. I want know Unknown Pcap Usage.
Q3. When is capture unknown packet in PA packet flow?
Regards,
08-05-2013 12:28 AM
Q1. Where is unknown pcap stored?[Device] > [Setup] > [Management] > [ Logging and Reporting Settings]App Pkt Capture ?
Application PCAPs are stored at the following path /opt/panlogs/session/pan/application/ .
These PCAPs will appear in the traffic log as a little green arrow .
You can use the CLI command view-pcap application-pcap <date>/" to view the Application pcaps
[Device] > [Setup] > [Management] > [ Logging and Reporting Settings] is where you can alter the Storage Quota for various logs and PCAPs
Q2. I want know Unknown Pcap Usage.
Can be viewed using CLI command :
> show system logdb-quota
Quotas:
traffic: 32.00%, 38.060 GB
threat: 16.00%, 19.030 GB
system: 4.00%, 4.758 GB
config: 4.00%, 4.758 GB
alarm: 3.00%, 3.568 GB
trsum: 7.00%, 8.326 GB
hourlytrsum: 3.00%, 3.568 GB
dailytrsum: 1.00%, 1.189 GB
weeklytrsum: 1.00%, 1.189 GB
thsum: 2.00%, 2.379 GB
hourlythsum: 1.00%, 1.189 GB
dailythsum: 1.00%, 1.189 GB
weeklythsum: 1.00%, 1.189 GB
appstat: 6.00%, 7.136 GB
userid: 1.00%, 1.189 GB
hipmatch: 3.00%, 3.568 GB
application-pcaps: 1.00%, 1.189 GB
threat-pcaps: 1.00%, 1.189 GB
debug-filter-pcaps: 1.00%, 1.189 GB
hip-reports: 1.00%, 1.189 GB
dlp-logs: 1.00%, 1.189 GB
Disk usage:
traffic: Logs: 59M, Index: 14M
threat: Logs: 42M, Index: 12M
system: Logs: 5.6M, Index: 904K
config: Logs: 17M, Index: 184K
alarm: Logs: 20K, Index: 20K
trsum: Logs: 86M, Index: 4.1M
hourlytrsum: Logs: 2.7M, Index: 1.5M
dailytrsum: Logs: 944K, Index: 1.4M
weeklytrsum: Logs: 468K, Index: 224K
thsum: Logs: 192K, Index: 192K
hourlythsum: Logs: 176K, Index: 176K
dailythsum: Logs: 168K, Index: 168K
weeklythsum: Logs: 32K, Index: 32K
appstatdb: Logs: 1.1M, Index: 852K
userid: Logs: 100K, Index: 52K
hipmatch: Logs: 20K, Index: 20K
application-pcaps: 1.4M <<====App PCAP usage
threat-pcaps: 4.0K
debug-filter-pcaps: 12K
dlp-logs: 4.0K
hip-reports: 1.1M
wildfire: 16K
Q3. When is capture unknown packet in PA packet flow?
When PA firewall is unable to identify the application using APP-ID ,the application will be termed as unknown (unknown/-tcp,unknown-udp,non-sysn-tcp).
Following Tech note will give you detailed Information about unknown apps and how to report them to Palto Alto.
08-05-2013 10:37 PM
The following doc explains about unknow apps
https://live.paloaltonetworks.com/docs/DOC-2007
Also following document explains how to request an new application
https://live.paloaltonetworks.com/docs/DOC-1879
you can also create an app override for an application that is internal to your network and you know the port numbers
https://live.paloaltonetworks.com/docs/DOC-1071
Following doc explains what application override does
https://live.paloaltonetworks.com/docs/DOC-1343
Hope this helps.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
