Ok so my question is how does the packet capture feauture works? For the Threat prevention policy in the track field i have selected log and packet capture. I presume that it will do a packet capture for all the activated IPS protections for that profile.Is this true? For a specific protection tab for Capture packets it says "Relevant only for pre R80 gateways...for R80 gateway the packet capture is defined by the policy. This is the reason i think it will do a packet capture for all the active protections in the profile for R80.10 gateways.Does the packet capture works only if the action is detect or will it work even if the action is prevent because in that case the session is blocked?
As for the location of packet capture .cap files they are stored on the gateway in the directory: $FWDIR/log/forensics.
In the logs on the secure management server the relevant data is session ID but you have to cut out the 0x part of it when you grep for a cap file.