This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sanja
Explorer
‎2020-12-18 02:30 AM

Packet capture option

Hello,

 

I did some research regarding packet capture option, and couldn't find clear answer so I have to ask here 🙂

Documentation states that this option is enabled by default for some blades, and  I cannot find for which blades it is enabled by default. 

Also, in log entry I can find link to download pcap just for malicious trafffic (for example, IPS prevented traffic). What about Threat Emulation blade?

 

Labels
0 Kudos
7 Replies
_Val_
Admin
Admin
‎2020-12-18 05:05 AM

Threat Emulation packet capture would mean you capture the whole file as part of the logs. That would be too heavy.

0 Kudos
sanja
Explorer
‎2020-12-18 10:15 AM
In response to _Val_

Hi, thanks for the reply. What about other blades? 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-12-18 05:54 PM
In response to sanja

Pretty sure only the Threat Emulation, IPS, Anti-Virus, and Anti-Bot blades can generate packet captures.  Content Awareness can show a redacted copy of the offending Data Type, but it is not a full packet capture.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-18 09:46 PM

Pretty sure PCAP is only done for IPS and only for the malicious packet.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-12-19 05:55 AM
In response to PhoneBoy

Packet Captures are done for Anti-Virus too:

av_pcap.jpg

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
sanja
Explorer
‎2020-12-20 11:46 PM

Thanks!

Is it safe to keep these default settings, cause security gateways are having some performance issues at the moment (memory consumption is too high)?

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2020-12-21 01:15 AM
In response to sanja

AB/AV - have a packet capture but not all the time, depends on the attack type and prevention method.

IPS - defined per attack. For some attacks it's on by default and for some it's off.

Threat Emulation - not a packet capture but a Forensic Report. See Attached.

You can keep default settings, no performance degradation should be caused by normal usage.

Capture.PNG

Kind regards, Amir Senn

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events