Configuring how many packets are captured
Since the packet containing the signature is sometimes not sufficient to troubleshoot a problem, you can specify how many packets are captured before and after the packet containing the IPS signature match.
config ips settings
packet-log-history
packet-log-post-attack
end
The packet-log-history command specifies how many packets are captured before and including the one in which the IPS signature is detected. If the value is more than 1, the packet containing the signature is saved in the packet log, as well as those preceding it, with the total number of logged packets equalling the packet-log-history setting. For example, if packet‑log-history is set to 7, the FortiGate unit will save the packet containing the IPS signature match and the six before it.
The acceptable range for packet-log-history is from 1 to 255. The default is 1.
| Setting packet‑log-history to a value larger than 1 can affect the performance of the FortiGate unit because network traffic must be buffered. The performance penalty depends on the model, the setting, and the traffic load. |
The packet-log-post-attack command specifies how many packets are logged after the one in which the IPS signature is detected. For example, if packet‑log-post-attack is set to 10, the FortiGate unit will save the ten packets following the one containing the IPS signature match.
The acceptable range for packet-log-post-attack is from 0 to 255. The default is 0.