topic Network monitor shows huge traffic spike, but can't find traffic details in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/network-monitor-shows-huge-traffic-spike-but-can-t-find-traffic/m-p/557812#M1834 <P>Hey folks.</P> <P>&nbsp;</P> <P>I had a situation today whereby one of my PA's was responding really slowly across IPSec tunnels and for Global protect clients - so once I could get onto it I started digging into the network monitor to see if I could find out if there was a link/network load issue.</P> <P>&nbsp;</P> <P>I found a huge spike in traffic in the period concerned - much, much more than normal - but when I tried to check the traffic logs for matching application type, I can;t find anything which would come even close&nbsp; to matching this level of load</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="darren_g_0-1694648084743.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53689i53071A5DFFA4C98F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="darren_g_0-1694648084743.png" alt="darren_g_0-1694648084743.png" /></span></P> <P>The above shows the spike from the traffic monitor - you can see the increase plainly - and it lists as ms-ds-smbv3 - but when I go looking for that app in the traffic logs - there's minimal amounts - and none of it is in the period indicated by the network traffic monitor.</P> <P>&nbsp;</P> <P>Does anyone know where I can dig to try and find out where this traffic was from/to?</P> <P>&nbsp;</P> <P>Thanks</P> Wed, 13 Sep 2023 23:38:43 GMT darren_g 2023-09-13T23:38:43Z Network monitor shows huge traffic spike, but can't find traffic details https://live.paloaltonetworks.com/t5/next-generation-firewall/network-monitor-shows-huge-traffic-spike-but-can-t-find-traffic/m-p/557812#M1834 <P>Hey folks.</P> <P>&nbsp;</P> <P>I had a situation today whereby one of my PA's was responding really slowly across IPSec tunnels and for Global protect clients - so once I could get onto it I started digging into the network monitor to see if I could find out if there was a link/network load issue.</P> <P>&nbsp;</P> <P>I found a huge spike in traffic in the period concerned - much, much more than normal - but when I tried to check the traffic logs for matching application type, I can;t find anything which would come even close&nbsp; to matching this level of load</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="darren_g_0-1694648084743.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53689i53071A5DFFA4C98F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="darren_g_0-1694648084743.png" alt="darren_g_0-1694648084743.png" /></span></P> <P>The above shows the spike from the traffic monitor - you can see the increase plainly - and it lists as ms-ds-smbv3 - but when I go looking for that app in the traffic logs - there's minimal amounts - and none of it is in the period indicated by the network traffic monitor.</P> <P>&nbsp;</P> <P>Does anyone know where I can dig to try and find out where this traffic was from/to?</P> <P>&nbsp;</P> <P>Thanks</P> Wed, 13 Sep 2023 23:38:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/network-monitor-shows-huge-traffic-spike-but-can-t-find-traffic/m-p/557812#M1834 darren_g 2023-09-13T23:38:43Z Re: Network monitor shows huge traffic spike, but can't find traffic details https://live.paloaltonetworks.com/t5/next-generation-firewall/network-monitor-shows-huge-traffic-spike-but-can-t-find-traffic/m-p/558379#M1864 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/2280">@darren_g</a> ,</P> <P>Note that traffic log will be generated at the session end (by default) so if you filter your logs with timeframe you will be looking at the timeframe when the log was created. You may need to filter based on session start - which is available field in the log entry.</P> <P>&nbsp;</P> <P>Also look at the amount of total bytes (column that summarize the sent and receive). You may also&nbsp; try to apply filter to should only logs for SMB app that has total bytes greater than X</P> Mon, 18 Sep 2023 13:58:17 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/network-monitor-shows-huge-traffic-spike-but-can-t-find-traffic/m-p/558379#M1864 aleksandar.astardzhiev 2023-09-18T13:58:17Z