topic Re: Current session/connection information by subnet in General Topics

Current session/connection information by subnet

aveva_palo — Mon, 26 Sep 2011 14:08:41 GMT

We're trying to isolate the source of some high session traffic in one of our regions. This is showing up in our exterior firewall connection count, and also on our PA device which is in line.

I can see the sessions by using the command line tools and filtering to see which interface/zones/application they're from, but I can find no way of narrowing down which networks the sessions are coming from.

The IP information is available in the session info, but for instance I can't seem to do a search based on IP masks .e.g. "show session all count yes filter source 192.168.100.0/24" would show me a total session count for anything originating in that network - I'm limited to individual addresses. The same appears true for the Session Browser in the GUI.

Is there a way of filtering by source network for current session info? Can I export a session browser view and analyse it elsewhere? Any other ideas?

Regards

John Bousfield

Re: Current session/connection information by subnet

Bart_Jocque — Tue, 27 Sep 2011 07:26:03 GMT

if you are using plain /24 or /16 mask , you can use the match command :

e.g. :

show session all filter | match 192.168.1.

Re: Current session/connection information by subnet

aveva_palo — Tue, 27 Sep 2011 09:15:32 GMT

That's a useful command to know, but doesn't resolve my query unfortunately because I can't then do a count on that result. I just get a list of the matching entries.

I tried outputting the result of "show session all filter from zone_name" to log, then counting the lines, but they do not match the "count yes" argument results by a factor for 10 - e.g. lines are ~2000, count is 20,000. I'm not sure I can trust the results in that case

Any other alternatives?

Regards

John

Re: Current session/connection information by subnet

Bart_Jocque — Tue, 27 Sep 2011 09:19:53 GMT

I guess you could also make a dedicated (temporary) firewall rule for the specific traffic you are interested in and then do a :

show session all filter rule xxx

Re: Current session/connection information by subnet

skrall — Fri, 30 Sep 2011 18:31:28 GMT

In the gui you can filter traffic using subnets. You can click on a sigle IP in the traffic log that is showing the behavior you are investigating to add it to the filter. Then edit the IP from 10.10.10.10 to 10.10.0.0/16.

The CLI does not support this.

Steve Krall

Re: Current session/connection information by subnet

Retired Member — Sat, 01 Oct 2011 03:40:08 GMT

In "show session all filter ... " command, there is also count option.

Example:

admin@PAN> show session all filter count yes source 192.168.22.201
Number of sessions that match filter: 2

But you cannot do subnets with that and this only looks at sessions which are active at that time. Otherwise best option is to export your traffic logs as CSV and use MS Excel or similar to sort and count.

-Richard