Palo Alto Networks Knowledgebase: Firewall Automatically Captures Packets in the Traffic Log

Firewall Automatically Captures Packets in the Traffic Log

1934
Created On 02/07/19 23:40 PM - Last Updated 02/07/19 23:41 PM
Resolution

Details

By default the firewall takes captures of traffic considered "unknown" or "insufficient data".

 

Run the following CLI command to determine if the automatic capture is on:

> show running application setting

Application setting:

Application cache             : yes

Supernode                     : yes

Heuristics                    : yes

Cache Threshold               : 16

Bypass when exceeds queue limit: yes

Use cache for appid           : no

Unknown capture               : on

Max. unknown sessions         : 5000

Current unknown sessions      : 12

Application capture           : off

Current APPID Signature

Signature Usage              : 27  MB (Max. 32  MB)

      TCP 1 C2S               : 8771   states, in offloader

      TCP 1 S2C               : 4130   states, in offloader

      TCP 2 C2S               : 15711  states, in offloader

      TCP 2 S2C               : 5005   states, in offloader

      UDP 1 C2S               : 5893   states, in offloader

      UDP 1 S2C               : 2151   states, in offloader

      UDP 2 C2S               : 9906   states, in offloader

      UDP 2 S2C               : 2182   states, in offloader

 

To turn off automatic capture until the next reboot, run the following command:

> set application dump-unknown no

Note: This setting will reset when the device is rebooted.

 

To make the settings persist through a reboot, use the following commands:

> configure

# set deviceconfig setting application dump-unknown off

# commit

 

onwer: jseals



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClvcCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language