Focus

Take a Custom Application Packet Capture

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Take a Packet Capture for Unknown Applications

Take a Packet Capture on the Management Interface

Take a Custom Application Packet Capture

You can configure a Palo Alto Networks firewall to take a packet capture based on an application name and filters that you define. You can then use the packet capture to troubleshoot issues with controlling an application. When configuring an application packet capture, you must use the application name defined in the App-ID database. You can view a list of all App-ID applications using Applipedia or from the web interface on the firewall in ObjectsApplications.

Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
Turn on the application packet capture and define filters.
```
admin@PA-220>set application dump on application <application-name> rule <rule-name>
```
For example, to capture packets for the facebook-base application that matches the security rule named rule1, run the following CLI command:
```
admin@PA-220>set application dump on application facebook-base rule rule1
```
You can also apply other filters, such as source IP address and destination IP address.

View the output of the packet capture settings to ensure that the correct filters are applied. The output appears after enabling the packet capture.

In the following output, you see that application filtering is now on based on the facebook-base application for traffic that matches rule1.

Application setting:
	Application cache : yes
	Supernode : yes
	Heuristics : yes
	Cache Threshold : 16
	Bypass when exceeds queue limit: no
	Traceroute appid : yes
	Traceroute TTL threshold : 30
	Use cache for appid : no
	Unknown capture : on
	Max. unknown sessions : 5000
	Current unknown sessions : 0 
	Application capture : on
	Max. application sessions : 5000 
	Current application sessions : 0
	Application filter setting: 
	Rule : rule1 
	From : any
	To : any 
	Source : any 
	Destination : any 
	Protocol : any 
	Source Port : any
	Dest. Port : any 
	Application : facebook-base 
	Current APPID Signature
	Signature Usage : 21 MB (Max. 32 MB)
	TCP 1 C2S : 15503 states 
	TCP 1 S2C : 5070 states 
	TCP 2 C2S : 2426 states 
	TCP 2 S2C : 702 states 
	UDP 1 C2S : 11379 states 
	UDP 1 S2C : 2967 states 
	UDP 2 C2S : 755 states 
	UDP 2 S2C : 224 states

Access Facebook.com from a web browser to generate Facebook traffic and then turn off application packet capture by running the following CLI command:
```
admin@PA-220>set application dump off
```
View/export the packet capture.
1. Log in to the web interface on the firewall and select MonitorLogsTraffic.
2. In the log entry that you are interested in, click the green packet capture icon
  
  in the second column.
3. View the packet capture directly or Export it to your computer. The following screen capture shows the facebook-base packet capture.

Take a Packet Capture for Unknown Applications

Take a Packet Capture on the Management Interface

Next-Generation Firewall Docs

Take a Custom Application Packet Capture

Next-Generation Firewall Docs

Take a Custom Application Packet Capture

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner