topic Re: Check which IP address (or User, AD Group) is utilizing more bandwidth in General Topics

Check which IP address (or User, AD Group) is utilizing more bandwidth

URONMAPU — Mon, 13 Jan 2025 10:18:43 GMT

Hi Bro,

Is there a way to get a report on traffic usage via email with a list of top users and their usage?

I'm stuck on this problem. Hope someone can share with me.

Thanks in advance.

Regards.

David

Re: Check which IP address (or User, AD Group) is utilizing more bandwidth

kiwi — Mon, 13 Jan 2025 13:22:29 GMT

Hi @URONMAPU ,

You can schedule a report for email delivery.

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/view-and-manage-reports/schedule-reports-for-email-delivery

I believe the information found in the traffic report > sources is giving you the information you are looking for (source IP, username, bytes, sessions, etc,...)

Kind regards,

-Kim.

Re: Check which IP address (or User, AD Group) is utilizing more bandwidth

URONMAPU — Tue, 14 Jan 2025 02:46:04 GMT

Hi Kim @kiwi

This is a way to schedule reports for daily delivery or delivered weekly on a specified day.
Our bandwidth is maxing out (for example 100MB) and I want to see who is using the most at that time.
I'm looking for a way to see a list of top usernames or IPs and their usage in this case.

Regards,

David

Re: Check which IP address (or User, AD Group) is utilizing more bandwidth

kiwi — Tue, 14 Jan 2025 11:27:25 GMT

Hi @URONMAPU ,

You can check the daily reports as shown in the screenshot under Monitor > Reports > Traffic Reports to see the high bandwith users for the past days.

Alternatively you can check the ACC tab > Network Activity > User Activity. Don't forget to select the desired timeframe or create a custom timeframe:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/acc

Another way is to go to the Networks tab > QoS and click on the 'Statistics' link on your QoS profile (if you have one):

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/network/network-qos/qos-interface-statistics

Kind regards,

-Kim.

Kind regards,

-Kim.

Re: Check which IP address (or User, AD Group) is utilizing more bandwidth

URONMAPU — Wed, 15 Jan 2025 04:29:11 GMT

Hi @kiwi

Is there a quick way to get a report on traffic usage via email?
When our bandwidth is maxing out (or 95%), I will receive an email notification from the system including a list of IPs (or top users) and their usage. No need to access to web interface and do a manually check.

Re: Check which IP address (or User, AD Group) is utilizing more bandwidth

kiwi — Mon, 20 Jan 2025 08:59:41 GMT

Hi @URONMAPU ,

As far as I know Palo Alto Networks firewalls do not natively support email alerts triggered by bandwidth thresholds.

However, you can achieve similar functionality through different methods.

Using SNMP monitoring and external tools. You can configure the FW to send SNMP data to an external SIEM which in turn can alert you.

Similarly you can use netflow and have the Netflow collector server send you alerts (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/netflow-monitoring).

You could also set up Log Forwarding to send log to an external system. Some of these logging servers have built in tools to send our reports/alerts (e.g. Splunk, ELK Stack, ...). Alternatively you could develop a custom script to parse logs and monitor bandwidth usage and configure the script to send email alerts when thresholds are breached.

Lastly I can think of automation tools such as Cortex XSOAR or similar third-party platforms like ServiceNow to monitor traffic logs and trigger email alerts.

Kind regards,

-Kim.