PAN-OS 6.0 introduced the ability to capture more than a single packet (up to 50) for threats that are logged on the Palo Alto Networks firewall.
Extended Packet Capture can be useful for:
Determining if an attack is successful
Learning more about the methods used by the attacker
Validating maliciousness of traffic with more context
Note: Extended Packet Capture is only available on Anti-Spyware and Vulnerability profiles.
Steps
Go to Device > Setup > Content-ID and edit Threat Detection Settings.
Configure the amount of packets you would like to capture (max. 50 Packets) :
Go to Objects > Security Profiles > Vulnerabilities Protection.
Enable "extended-capture" mode for Packet Capture on a vulnerability protection profile:
Note: This screenshot shows how to create a policy that will collect extended captures for any vulnerability which is an example. You can edit your more granular policy and enable extended captures only for particular level of severity. If you need to enable extended captures for only one vulnerability, please read this article.
Apply this profile on a Security Policy. It is also possible to change the logdb quota (max. 90% quota) for Extended Packet Capture:
Important: If the "action" of the profile is set to block, only a single packet will be captured.