Nominated Discussion: Check Which IP Address (or User, AD Group) is Utilizing More Bandwidth

kiwi — Tue, 21 Jan 2025 16:30:56 GMT

This Nominated Discussion Article is based on the post "Check which IP address (or User, AD Group) is utilizing more bandwidth" by @URONMAPU and answered by @kiwi Read on to see the response!

Hi Bro,

Is there a way to get a report on traffic usage via email with a list of top users and their usage?

I'm stuck on this problem. Hope someone can share with me.

Thanks in advance.

Regards.

David

You can schedule a report for email delivery.

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/view-and-manage-reports/schedule-reports-for-email-delivery

The information found in the traffic report > sources is giving you the information you are looking for (source IP, username, bytes, sessions, etc,...)

This is a way to schedule reports for daily delivery or delivered weekly on a specified day.
Our bandwidth is maxing out (for example 100MB) and I want to see who is using the most at that time.
I'm looking for a way to see a list of top usernames or IPs and their usage in this case.

You can check the daily reports as shown in the screenshot under Monitor > Reports > Traffic Reports to see the high bandwidth users for the past days.

Alternatively you can check the ACC tab > Network Activity > User Activity. Don't forget to select the desired timeframe or create a custom timeframe:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/acc

Another way is to go to the Networks tab > QoS and click on the 'Statistics' link on your QoS profile (if you have one):

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/network/network-qos/qos-interface-statistics

Is there a quick way to get a report on traffic usage via email?
When our bandwidth is maxing out (or 95%), I will receive an email notification from the system including a list of IPs (or top users) and their usage. No need to access to web interface and do a manually check.

Palo Alto Networks firewalls do not natively support email alerts triggered by bandwidth thresholds.

However, you can achieve similar functionality through different methods.

Using SNMP monitoring and external tools. You can configure the FW to send SNMP data to an external SIEM which in turn can alert you.

Similarly you can use netflow and have the Netflow collector server send you alerts (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/netflow-monitoring).

You could also set up Log Forwarding to send log to an external system. Some of these logging servers have built in tools to send our reports/alerts (e.g. Splunk, ELK Stack, ...). Alternatively you could develop a custom script to parse logs and monitor bandwidth usage and configure the script to send email alerts when thresholds are breached.

Lastly I can think of automation tools such as Cortex XSOAR or similar third-party platforms like ServiceNow to monitor traffic logs and trigger email alerts.

tags: technical documentation, SNMP, reporting and logging, administration, log forwarding, integration, acc

article Nominated Discussion: Check Which IP Address (or User, AD Group) is Utilizing More Bandwidth in General Articles

Nominated Discussion: Check Which IP Address (or User, AD Group) is Utilizing More Bandwidth