What is the reason for packet capture?

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
bgranholm
L2 Linker

What is the reason for packet capture?

Hello all,

We recently flattened our lab firewall and configured it as a tap firewall. It currently has only one security policy which is an allow all policy. The firewall currently has one zone and the only other non-standard default config is a handful of custom applications and application overrides.

What I did was set a filter in the traffic logs of "flags has pcap" and surprisingly to me, there were actual packet captures. The traffic consisted of unknown-tcp and udp, incomplete data and a couple of traceroutes. However, it doesn't capture packets for all of any one of those categories, which begs the question:

Why is the firewall capturing data from seemingly random traffic from the categories of unknown-tcp, unknown-udp, incomplete data and traceroute?

Thanks,

Ben


Accepted Solutions
sraghunandan
L5 Sessionator

Please refer the following docs:-

View solution in original post


All Replies
mikand
L6 Presenter

There is a setting somewhere if unknown traffic should be captured or not by default.

The reason is to have a sample to send for analysis if needed (or investage on your own) - for example in order to create a custom appid (either on your own or by support from PaloAlto).

The packetcapture can also be setup for various IPS and (I think) AV signatures - same here to have a sample in case false positive occurs or such.

bgranholm
L2 Linker

I have combed the firewall for that setting and I am not finding it. I have default settings for the security profiles and I don't have them applied anywhere. Anyone else want to take a shot?

sraghunandan
L5 Sessionator

Please refer the following docs:-

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!