There are two places you can enable Threat Prevention packet capturing in R80.10+, the Threat Prevention policy Track field, and/or on the IPS ThreatCloud protection itself.
Checking the "Capture Packets" checkbox for an IPS ThreatCloud protection contained within a profile will not cause a substantial CPU or memory hit, because it is already saving packet captures by default. When an IPS protection is triggered, the gateway automatically stores the offending packet for later inspection by the administrator. However by default when the same protection is triggered again, the previous saved capture is overwritten with the new capture. All setting "Capture Packets" on the protection does is store all of them without overwriting previous ones.
In the Threat Prevention policy Track field, setting "Capture Packets" just instructs all IPS ThreatCloud protections matching that rule to save all captures without overwriting and is essentially setting the "Capture Packets" checkbox for you for all IPS ThreatCloud protections contained in the profile for the matched TP rule. By default the gateway has 500MB of disk space set aside to store captures, if it fills up the oldest captures are automatically deleted:
The main thing you will need to watch out for is having the firewall take captures for IPS ThreatCloud protections whose action is Detect as it will save 100KB of captured packets each time, which can quickly exceed the 500MB allocation and start causing captures to get rolled off. A Prevent action will normally only give you one captured packet or perhaps a few. There are a number of other caveats here to be aware of especially concerning Core Activations & Inspection Settings , here is the relevant content about this from my updated R81.20 IPS/AV/ABOT Immersion course:
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com