topic Re: IPS packet capture in Firewall and Security Management

IPS packet capture

Alexander_K — Mon, 16 Oct 2017 08:12:36 GMT

In R77.30 and earlier IPS packet capture was stored on the gateways as .pcap files and we could retrieve them using "fwm getpcap" over SSH. In R80+, IPS has been moved to Threat Prevention and it seems that packet capture is now being stored as .EML files. Looking at the logs from "fw log", the "packet_capture_unique_id" is now a name, where on earlier versions this was a ID number. Tried running "fwm getpcap" with different ID's from the logs, but all returning errors.

I heard that there are plans to stop using .EML files, but until then, are there any ways to get the IPS packet captures out from SSH?

Re: IPS packet capture

PhoneBoy — Fri, 20 Oct 2017 23:29:15 GMT

Hm... good question.

Let me ping my friends in R&D about this one.

Re: IPS packet capture

PhoneBoy — Mon, 23 Oct 2017 14:11:04 GMT

Turns out that’s in R80.10+, the packet captures are stored on the log server, not the gateway as was the case in R77.30 and earlier.

Consequentially, the fwm getpcap command does not work for R80.10+ Gateways

An API for this is planned in R80.20.

Also, in R80.20, we plan to make the pcap available as a pcap (not EML).

Meanwhile, in R80.10, the only way to get the capture is via SmartConsole.

Re: IPS packet capture

Alexander_K — Wed, 25 Oct 2017 07:27:25 GMT

Thanks, will await for R80.20 then

Re: IPS packet capture

Pablo_Munoz — Fri, 02 Mar 2018 21:20:55 GMT

I don't know if this is too late, but maybe sk120773 helps:

IPS packet captures are located on on the Security Gateway in:

Before R80.x - $FWDIR/log/captures_repository
In R80.10 - $FWDIR/log/forensics and /var/log/spool/mail/

Re: IPS packet capture

PhoneBoy — Sat, 03 Mar 2018 22:49:32 GMT

Never too late for a correct answer

The nice thing is in R80.10, these files are stored as .cap files directly, which means Wireshark and other tools can read them.

Re: IPS packet capture

Jim_Stergiou — Mon, 07 May 2018 13:01:54 GMT

Did the ability to pull pcaps from the API make it into the R80.20 EA?

Re: IPS packet capture

PhoneBoy — Mon, 07 May 2018 14:03:00 GMT

I don't see anything in the API docs for it offhand...

Re: IPS packet capture

Brian_Olesen — Thu, 21 Jun 2018 08:58:28 GMT

In a R80.10 installation it seems that there is only .cap files for the last couple of days. Does anyone know for how long the .cap files are stored and where it can be configured?

Re: IPS packet capture

Pablo_Munoz — Thu, 21 Jun 2018 13:13:04 GMT

It's my understanding that these settings are configured from 'Disk Space Management' (GW Properties -> Logs -> Local Storage). Here you can also define how much disk space will be allocated for packet capturing. Files should be stored until we start running out of space (then log rotation starts working as per the settings)

Re: IPS packet capture

Oliver_Fink — Mon, 02 May 2022 15:00:24 GMT

It seems that R81.10 does not offer the possibility to configure this anymore:

Same on R80.30:

Re: IPS packet capture

Timothy_Hall — Mon, 02 May 2022 17:59:15 GMT

This is configured on the gateway object, not the SMS. The Local Storage screens you are showing are for an SMS.