• Note that specifying a Packet Capture to be taken every time an IPS Protection is matched differs depending on the GATEWAY version.
• For R77.XX gateways, the setting is located on the IPS Protection itself.
• For R80.10+ gateways, the setting is located in the Track field of the TP policy rule.
• The packet capture can be downloaded from the IPS log entry itself on the Logs & Monitor tab in the SmartConsole; format will be EML containing a pcap.
• The first time a ThreatCloud IPS Protection is matched and the logging of it is not suppressed (i.e. a completely new IPS log entry is created), a packet capture will automatically be taken by default regardless of the settings on the prior page.
• Note that unless a packet capture is called for at all times on the IPS Protection itself (R77.XX gateway) or the Track column of the TP policy (R80.10+) gateway, only one packet capture per ThreatCloud IPS Protection will be stored by default. So only the latest non–suppressed log entry for a ThreatCloud IPS Protection will have a packet capture available by default.
• Typically the packet captured will be only the single “offending” packet and not include any prior packets in the stream, unless the attack pattern spanned more than one packet.
• Packet Captures are not supported on Gaia Embedded appliances (models 600–1400).
• Specifying Packet Capture in the Track field of a TP rule applied to a R77.XX gateway will NOT cause the IPS blade to take packet captures for all ThreatCloud IPS Protections that are matched. The Packet Capture checkbox must still be selected directly on the desired IPS Protection(s) for an R77.XX gateway.
• For R77.XX gateways, the IPS packet captures are stored locally on the gateway itself in directory $FWDIR/log/captures_repository. By default up to 500 MBytes of disk storage may be consumed by packet captures in a rotating buffer.
• For R80.10+ gateways, IPS packet captures are automatically transferred to the Log Server (usually the SMS or CMA) and stored in the $FWDIR/log/forensics and /var/spool/mail directories.
• For IPS Core Activations and Inspection Settings, packet captures will not be taken at all regardless of gateway version, unless the Capture Packets checkbox is explicitly set on the configuration screen of the individual Core Activation or Inspection Setting itself.