We recently flattened our lab firewall and configured it as a tap firewall. It currently has only one security policy which is an allow all policy. The firewall currently has one zone and the only other non-standard default config is a handful of custom applications and application overrides.
What I did was set a filter in the traffic logs of "flags has pcap" and surprisingly to me, there were actual packet captures. The traffic consisted of unknown-tcp and udp, incomplete data and a couple of traceroutes. However, it doesn't capture packets for all of any one of those categories, which begs the question:
Why is the firewall capturing data from seemingly random traffic from the categories of unknown-tcp, unknown-udp, incomplete data and traceroute?
There is a setting somewhere if unknown traffic should be captured or not by default.
The reason is to have a sample to send for analysis if needed (or investage on your own) - for example in order to create a custom appid (either on your own or by support from PaloAlto).
The packetcapture can also be setup for various IPS and (I think) AV signatures - same here to have a sample in case false positive occurs or such.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!