It is possible that only one packet capture (the latest one) is available for that particular protection and the old one you are attempting to access has rolled off. How many subsequent packet captures for the same protection are going to be saved will vary depending upon whether the packet capture was taken for an IPS ThreatCloud Protection, a Core Protection/Activation, or an Inspection Setting and whether the capture was called for in the Track column of the Threat Prevention policy, the settings of the protection itself, or no capture was called for in the configuration at all but the firewall automatically saved a packet capture upon the latest triggering of that protection by default, but older ones for that protection are not retained.
In some cases a packet capture will not be available in the logs when it seems there should be; this can be caused in the following situations stated in the R81 Known Limitations:
• The detection occurred in the Check Point ThreatCloud (i.e. not locally on the gateway due to its own cache)
• The DeepScan engine portion of the firewall made the determination
• The connection was SSL/HTTPS encrypted by the firewall
What is the specific protection name, and do you have a packet capture set in the Track field of the TP rule matching the protection, the "capture packets" checkbox set on the protection itself, or both?
New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com