To configure the firewall to take a packet
capture (pcap) when it detects a threat, enable packet capture on
Antivirus, Anti-Spyware, and Vulnerability Protection security profiles.
Enable the packet capture option in the security
profile.
Some security profiles allow you to define a single-packet
capture or an extended-capture. If you choose extended-capture,
define the capture length. This allows the firewall to capture more
packets and provide additional context related to the threat.
If
the action for a given threat is allow, the firewall does not trigger
a Threat log and does not capture packets. If the action is alert,
you can set the packet capture to single-packet or extended-capture.
All blocking actions (drop, block, and reset actions) capture a single
packet. The content package on the device determines the default
action.
Select ObjectsSecurity Profiles and enable
the packet capture option for the supported profiles as follows:
Antivirus—Select a custom
antivirus profile and in the Antivirus tab select
the Packet Capture check box.
Anti-Spyware—Select a custom Anti-Spyware
profile, click Rules, Exceptions,
or the DNS Signatures tab and in the Packet
Capture drop-down, select single-packet or extended-capture.
Vulnerability Protection—Select a
custom Vulnerability Protection profile and in the Rules tab,
click Add to add a new rule, or select an
existing rule. Set Packet Capture to single-packet or extended-capture.
If
the profile has signature exceptions defined, click the Exceptions tab
and in the Packet Capture column for a signature,
set single-packet or extended-capture.
(Optional) If you selected extended-capture for
any of the profiles, define the extended packet capture length.
Select DeviceSetupContent-ID and
edit the Content-ID Settings.
In the Extended Packet Capture Length (packets) section,
specify the number of packets that the firewall will capture (range
is 1-50; default is 5).
Click OK.
Add the security profile (with packet capture enabled)
to a Security
Policy rule.
Select PoliciesSecurity and select a rule.
Select the Actions tab.
In the Profile Settings section, select a profile
that has packet capture enabled.
For example, click the Antivirus drop-down
and select a profile that has packet capture enabled.
View/export the packet capture from the Threat logs.
Select MonitorLogsThreat.
In the log entry that you are interested in, click
the green packet capture icon
in the second
column. View the packet capture directly or Export it
to your system.