Today's Tips & Tricks is about enabling "Packet Capture" on Security Profiles.
One security feature that is sometimes overlooked by security professionals is the Packet Capture option inside of the Security Profiles. This option is intended to be available in the event you need to report any False Positive or to troubleshoot any other issue with the behavior of the Security Profiles. More specifically, Antivirus, Anti-Spyware and Vulnerability Protection profiles. Enabling this option captures the data that our inspection engine tags as a threat.
To enable the features go to Objects > Security Profiles on the WebGUI.
Antivirus Profile
Select the check box if you want to capture identified packets.
Anti-Spyware Profile
Inside DNS Signatures tab:
Vulnerability Protection Profile
Rules > Rule name:
Notice that Anti-Spyware and Vulnerability Protection have more options.
- Disabled
- Single Packet
- Select single-packet to capture one packet when a threat is detected.
- Extended-capture
- Select the extended-capture option to capture more packets. Extended-capture will provides much more context to the threat when analyzing the threat logs or when providing the captures for TAC to analyze.
To define the number of packets that should be captured, navigate to Device > Setup > Content-ID and then edit the Threat Detection Settings section, as shown below:
Set the number of packets to capture when the extended-capture option is enabled in anti-spyware and vulnerability protection profiles. The range is 1-50, default is 5.
To view the packet capture, navigate to Monitor > Logs > Threat and locate the log entry you are interested in and then click the green down arrow in the second column. Packet captures will only occur if the action is allow or alert.
Note: If the block action is set, the session is ended immediately.
For all packet captures that you see inside of the Threat logs, you have an option to "Export" the captures. This will save the file locally on the client machine used to access the WebGUI.
As always, we welcome your comments and feedback. If you like what you see, please let us know. If you want specific topics please let me know.
Thanks for reading,
Joe Delio