Palo Alto Networks Knowledgebase: How to Capture Traffic (PCAP) Hitting a Specific Rule

How to Capture Traffic (PCAP) Hitting a Specific Rule

7596
Created On 07/29/19 17:23 PM - Last Updated 07/29/19 17:51 PM
Policy
Resolution

Details

To enable packet capture for a specific rule:

  • Log into the CLI and run the following command:

> set application dump on rule allow_all

Application setting:

Application cache            : yes

Supernode                    : yes

Heuristics                    : yes

Cache Threshold              : 16

Bypass when exceeds queue limit: yes

Unknown capture              : on

Max. unknown sessions        : 5000

Current unknown sessions      : 0

Application capture          : on

Max. application sessions    : 5000

Current application sessions  : 0

Application filter setting:

    From                      : any

    To                        : any

    Source                    : any

    Destination              : a

    Protocol                  : any

    Source Port              : any

    Dest. Port                : any

    Application              : any

Current APPID Signature

  Signagure Usage            : 29  MB (Max. 32  MB)

      TCP 1 C2S              : 10551  states

      TCP 1 S2C              : 4880  states

      TCP 2 C2S              : 14988  states

      TCP 2 S2C              : 6142  states

      UDP 1 C2S              : 6514  states

      UDP 1 S2C              : 2774  states

      UDP 2 C2S              : 9782  states

      UDP 2 S2C              : 2036  states

  • By default, the firewall also captures traffic considered "unknown" or "insufficient data."  To turn off this capture

    > set application dump-unknown no

  • Go to the traffic log in the WebGUI
  • Click the green arrow next to the traffic log to download the PCAP, as shown in the example:

application-dump.PNG

  • To turn of the application dump once the PCAPs are retrieved

> set application dump off

owner: ppatel



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgUCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language