Focus

Take a Packet Capture for Unknown Applications

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Take an Application Packet Capture

Take a Custom Application Packet Capture

Take a Packet Capture for Unknown Applications

Palo Alto Networks firewalls automatically generate a packet capture for sessions that contain an application that the firewall cannot identify. Typically, the only applications that are classified as unknown traffic—tcp, udp, or non-syn-tcp—are commercially available applications that do not yet have App-ID signatures, are internal or custom applications on your network, or potential threats. You can use these packet captures to gather more context related to the unknown application or use the information to analyze the traffic for potential threats. You can also Manage Custom or Unknown Applications by controlling them through security policy or by writing a custom application signature and then creating a security rule based on the custom signature. If the application is a commercial application, you can submit the packet capture to Palo Alto Networks to have an App-ID signature created.

Verify that unknown application packet capture is enabled (this option is enabled by default).
1. To view the unknown application capture setting, run the following CLI command:
```
admin@PA-220>show running application setting | match “Unknown capture”
```
2. If the unknown capture setting option is off, enable it:
```
admin@PA-220>set application dump-unknown yes
```
Locate unknown TCP and UDP applications by filtering the traffic logs.
1. Select MonitorLogsTraffic.
2. Click Add Filter, create the unknown TCP portion of the filter (Connector = “and”, Attribute = “Application”, Operator = “equal”, and enter “unknown-tcp” as the Value), and then click Add to add the query to the filter.
3. Create the unknown UDP portion of the filter (Connector = “or”, Attribute = “Application”, Operator = “equal”, and enter “unknown-udp” as the Value), and then click Add to add the query to the filter.
4. Click Apply to place the filter in the log screen query field.
Click the Apply Filter arrow next to the query field to run the filter and then click the packet capture icon

to view the packet capture or Export it to your local system.