How to export threat capture from a Panorama managed firewall using API

How to export threat capture from a Panorama managed firewall using API

234
Created On 07/13/22 13:55 PM - Last Modified 11/17/25 20:02 PM


Objective


The objective of this article is to demonstrate how to export a threat capture from a firewall managed by Panorama using API.

Environment


  • PanOS firewall
  • Panorama management server

Procedure


  • For the purpose of this demo, one needs a firewall with a DNS security license. Basic security policy is created to allow DNS traffic and Anti-Spyware security profile with packet capture option enabled is attached to the policy. 
User-added image
 
  • One needs to generate an API key for the Panorama management server. Either of the commands below can be used:
curl -k -X GET 'https://<panorama>/api/?type=keygen&user=<username>&password=<password>'
or 
curl -k -X POST 'https://<panorama>/api/?type=keygen&user=<username>&password=<password>'
Note: Do not use semicolon character at the end of the command syntax.

A successful API call returns status="success" along with the API key within the key element: 
<response status="success">
  <result>
    <key>api-key-test==</key>
  </result>
</response>
 
  • On a Windows machine behind the VM firewall, one can do nslookup for test C2 domain test-c2.testpanw.com.
C:\Users\admin>nslookup test-c2.testpanw.com 192.168.10.1
Server:  UnKnown
Address:  192.168.10.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
  • The DNS request will be blocked and a threat log will be generated. Also a threat capture will be created, if enabled.
User-added image
 
  • One needs to check the details of the threat log and take a note of: session-id, pcap-id and receive-time as shown in the screenshot below:
User-added image
 
  • With that information available, one can query the firewall from Panorama via API. In the example below, one needs to replace: Panorama address, API key, firewall hostnamesession-id, pcap-id and search-time parameters. 
curl -k -X GET "https://panorama/api/?type=export&category=threat-pcap&key=api-key-test==&device_name=<firewall-hostname>&sessionid=72083&pcapid=1208544047992406037&search-time=2022/07/13+16:04:47" -o threat-pcap.pcap
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   120  100   120    0     0     83      0  0:00:01  0:00:01 --:--:--    84
 
  • The threat capture opened in Wireshark shows the DNS query packet for domain test-c2.testpanw.com
User-added image

Additional Information


HOW TO CONFIGURE EXTENDED PACKET CAPTURE
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqVuCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail