Support Center > Search Results > SecureKnowledge Details
No packet capture is received with IPS protection log
Symptoms
  • Logs are received without packet capture for IPS protection, even if 'capture packets' checkbox is enabled on the protection propertied in SmartConsole.
  • Running kernel debug (fw ctl debug -m fw + drop conn vm ips log dynlog cmi advp) shows:
    ;[cpu_1];[fw4_0];FW-1: fwloghandle_destroy: log handle ffffc2001f580198;
    ;[cpu_1];[fw4_0];fwloghandle_destroy: concurrent log handles allocated: 0;
    ;[cpu_1];[fw4_0];fw_kmsg_write_to_buf: copying 4 bytes for tsid 0. log_last=126088;
    ;[cpu_1];[fw4_0];fw_kmsg_write_to_buf: copying 4 bytes for tsid 0. log_last=126092;
    ;[cpu_1];[fw4_0];fw_kmsg_write_to_buf: copying 44 bytes for tsid 0. log_last=126096;
    ;[cpu_1];[fw4_0];cptraps_wake_up: called for tsid 0;
    ;[cpu_1];[fw4_0];fw_send_kmsg: log_start=ffffc2002379cccc, last=126140, first=126088;
    ;[cpu_1];[fw4_0];ips_gen_dyn_log: max_pcap_num=3 ;
    ;[cpu_1];[fw4_0];fwdynlog_perform_packet_capture : prepare forensics packet capture;
    ;[cpu_1];[fw4_0];fwdynlog_perform_packet_capture: match_opq or match_opq->streaming_vtable or match_opq->streaming_vtable->perform_capture or match_opq->output are null.;
    ;[cpu_1];[fw4_0];ips_gen_dyn_log: fwdynlog_perform_packet_capture() failed.;
    ;[cpu_1];[fw4_0]; ==>ips_log_struct_destroy:;
Cause

Since R80.10, IPS blade is part of Threat Prevention policy, thus started using packet capture methodology of Threat Prevention.
The new packet capture rely on PSL, which sometimes is missing when ips makes a detection. In these cases packet capture will not work.


Solution
Note: To view this solution you need to Sign In .