topic Re: Complete application traffic report for firewall rule in Panorama Discussions

Complete application traffic report for firewall rule

JohnHogman — Fri, 13 Jan 2023 10:10:53 GMT

Hi!

We have migrated our customers old firewalls to Palo altos and managing them through Panorama.

Now we want to convert the old rules into specific application rules. From server to server , Application by application.

So what I need is a complete traffic log/report, rule by rule to be able to start with the new Application rules.

It seems that all the reports and CSV exports are caped to a specifik amount of entries? Which makes the report incomplete.

The things I've tried is custom reports with the rule as filter, and doing csv exports from the regular traffic monitor.

What I would like to have is a complete report of say 30days on all unique Application traffic that hits a specific rule.

By unique I mean that I don't need duplicate entries from and to the same servers with the same application, It would be nice to just have it summarized.

Is this possible? Seems the amount of sessions is the problem now, to get a complete report.

Re: Complete application traffic report for firewall rule

GabrielMontiel — Fri, 13 Jan 2023 18:51:13 GMT

Dont need to do that! Thankfully palo alto has already a tool INTEGRATED into the firewall, you can see it at the left bottom corner its called policy optimizer, which does exactly that what you are asking for, but without running trough so many hops,

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/security-policy-rule-optimization/migrate-port-based-to-app-id-based-security-policy-rules

Also i would suggest you to read and watch some tutorials on the expedition tool, which helps your migrations from old FW to NGFW from palo alto networks, https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

I hope this information suits you well!

Re: Complete application traffic report for firewall rule

JohnHogman — Mon, 16 Jan 2023 08:50:07 GMT

I've looked into the optimizer before.

My understanding is that it's great if you have portbased rule from before, to convert them into application based rules.

But in my case it's an any to any rule, so I guess the optimizer would make it any to any on specific applications?

What I want to do is to from server to server on specific application.

Is it possible in the optimizer?

Re: Complete application traffic report for firewall rule

GabrielMontiel — Mon, 16 Jan 2023 15:06:15 GMT

I understood your use case, yes policy optimizer is mostly to use
applications in policies.

If you want to "close" the policy to some src and dst addresses it would be
easier for you to create a custom report filtering with the policy name, or
simply in the ACC filter to policy name, also you could extract palo alto
logs in csv format and do some excel dynamic table magic its a button on
top right in the monitor traffic logs

Re: Complete application traffic report for firewall rule

JohnHogman — Tue, 17 Jan 2023 06:44:48 GMT

Hi!

Well, I've tried the custom report filters and CSV exports but the thing is that there is to much data so the logs are incomplete. It won't give me the full logs.

Is there a way to summarize them i Panorama? Now I see every new session from server to server with the same application in the exports, and it's a huge amount.

I would just like to see every new application from server to server.

Can't really see that I can do this in the ACC filter either?

Re: Complete application traffic report for firewall rule

GabrielMontiel — Tue, 17 Jan 2023 18:36:15 GMT

Im not quite sure what you mean with "server to server" if by that you
mean a single IP address, or a CIDR address range, you can see new
applications or the applications used within a single security policy rule,
with that you can separate each server flow with security policies and with
the policy optimizer in security policy GUI page theres a column named
"apps seen" you can click on that number and see which applications have
done a match with that security policy

Re: Complete application traffic report for firewall rule

JohnHogman — Wed, 18 Jan 2023 08:12:05 GMT

Okey just to clarify.

Right now we have a rule that says any any from server nets to server nets on any application.

So all server traffic floods on that rule. So it's alot of sessions.

What we want to do is to make it more granular, like the examples:

Server1 192.168.1.2 to Server2 192.168.2.3 HTTPS

Server3 192.168.43.2 to Server4 192.168.60.3 DNS

and so on.

Re: Complete application traffic report for firewall rule

GabrielMontiel — Wed, 18 Jan 2023 16:06:15 GMT

Oh now i get you, best way to do this imo, is filter by the policy name on
monitor, extract CSV columns ( you can extend the amount of rows you can
export in device/panorama, on the setup page
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaPCAS
)

And then start filtering with excel, and create the new policies above the
current general one, you can repeat this process until you have no new hits
on the old policy.

Re: Complete application traffic report for firewall rule

JohnHogman — Fri, 20 Jan 2023 09:08:14 GMT

Yepp that's what we tried to do, but it's just to many sessions.

With the default setting of 65000 rows in CSV, gives us 1.5 hours of traffic and we want to see like a months traffic.

So if we changed it to the max value of 1048576 rows in CSV, would give us approx. 1.5 days.

Can't see that there is a way to sort out all the duplicate sessions in the monitor view.