https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44341#M32541 <HTML><HEAD></HEAD><BODY><P>Here's the scenario:</P><P>1)&nbsp; 1 week ago, a session from 10.1.1.1 and 10.2.2.2 is established.&nbsp; Normally, data transfer is very low.</P><P>2)&nbsp; Within that session, 100GB of data is suddenly transferred one day between 6pm and 7pm, pegging the site's Internet bandwidth.</P><P>3)&nbsp; The data transfer becomes very low again after the burst. The session doesn't terminate until 1 week later.</P><P></P><P>Observations:</P><P>- If we look at ACC during that 1 hour burst, the traffic doesn't show up at all.</P><P>- If we look at the session browser, all we see is total transferred bytes since the session was established.</P><P></P><P>Question:</P><P>- When we try to figure out what's using up the bandwidth in a particular time frame, how can we see bytes transferred and source/destination IPs for established sessions that remain active?</P><P>(The Network Monitor is horribly inflexible and doesn't produce enough detail to be useful in our actual scenario)</P></BODY></HTML> Thu, 04 Dec 2014 06:26:17 GMT RyanF 2014-12-04T06:26:17Z https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44341#M32541 <HTML><HEAD></HEAD><BODY><P>Here's the scenario:</P><P>1)&nbsp; 1 week ago, a session from 10.1.1.1 and 10.2.2.2 is established.&nbsp; Normally, data transfer is very low.</P><P>2)&nbsp; Within that session, 100GB of data is suddenly transferred one day between 6pm and 7pm, pegging the site's Internet bandwidth.</P><P>3)&nbsp; The data transfer becomes very low again after the burst. The session doesn't terminate until 1 week later.</P><P></P><P>Observations:</P><P>- If we look at ACC during that 1 hour burst, the traffic doesn't show up at all.</P><P>- If we look at the session browser, all we see is total transferred bytes since the session was established.</P><P></P><P>Question:</P><P>- When we try to figure out what's using up the bandwidth in a particular time frame, how can we see bytes transferred and source/destination IPs for established sessions that remain active?</P><P>(The Network Monitor is horribly inflexible and doesn't produce enough detail to be useful in our actual scenario)</P></BODY></HTML> Thu, 04 Dec 2014 06:26:17 GMT https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44341#M32541 RyanF 2014-12-04T06:26:17Z https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44342#M32542 <HTML><HEAD></HEAD><BODY><P>Hello Ryan,</P><P></P><P>I am not sure if we can get proper information for that particular hour .</P><P>But you can try one thing. You can create a report for this particular source and destination address. I hope this will give you some information .</P><P></P><P><IMG alt="report.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/17146_report.JPG" style="height: 396px; width: 620px;" /></P><P>From the available column you can select source address, destination address, hour ,application , bytes sent,bytes received.</P><P>In the query builder you can specify the specific source and destination address.</P><P>So you will have to generate multiple reports with different time frames like 24 hours , one week . Test with different columns too.</P><P>I am not sure if&nbsp; we will be able to find out something specific for this time , but for future if you want to track something like this for the previous one hour or six hours, 12 hours ,we can do that .</P><P>Let me know if it was helpful ..</P><P></P><P>Thank you</P></BODY></HTML> Thu, 04 Dec 2014 22:14:13 GMT https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44342#M32542 MSharma 2014-12-04T22:14:13Z https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44343#M32543 <HTML><HEAD></HEAD><BODY><P>The problem is, we don't know what IPs we need to investigate.&nbsp; The ultimate question is, how can we accurately see bytes transferred (and source/destination IPs) in a given period of time?&nbsp; The data transferred with established (non-terminated) sessions don't show up in any report, which could be a huge missing piece.</P></BODY></HTML> Mon, 08 Dec 2014 20:26:17 GMT https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44343#M32543 RyanF 2014-12-08T20:26:17Z https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44344#M32544 <HTML><HEAD></HEAD><BODY><P>My understanding is that ACC is based upon log data; and the log entry with the amount of data transferred is only created at session end - so ACC (and Traffic Logs) are no use mid-way through a flow.</P><P></P><P>Exporting Netflow data from your firewall to a Netflow collector is most likely the answer to this problem.&nbsp; I'd hope that PA's Netflow implementation will send out flow entries for in-progress sessions - but I've not used Netflow on PA to confirm.</P></BODY></HTML> Fri, 12 Dec 2014 16:59:33 GMT https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44344#M32544 ajbool 2014-12-12T16:59:33Z https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44345#M32545 <HTML><HEAD></HEAD><BODY><P>In what I've seen so far, I think you are correct--only Netflow can provide what we need here.&nbsp; A shame that's not built-in to Panorama.</P></BODY></HTML> Mon, 15 Dec 2014 17:58:39 GMT https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44345#M32545 RyanF 2014-12-15T17:58:39Z https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44346#M32546 <HTML><HEAD></HEAD><BODY><P>if its a long session it won't log until the session closes so make sure log at session start &amp; log at session end are both selected for the rule.</P><P></P><P>Try this as well </P><P></P><P>Go to the traffic logs and enable views for 'bytes sent' 'bytes received' , packets sent &amp; packets received</P><P></P><P>set the filter to 'bytes geg 10000000' will show you bytes uploads greater than 10mb</P><P></P><P>unit is in bytes</P><P>geq = greater than or equal</P><P>leq = less than or equal</P><P></P><P>you can also use 'bytes_sent geg 1000' or 'bytes_received geq'1000'</P><P></P><P>this will show all traffic that had a bytes sent greater than 100kb you can also increase decrease and continue to filter down in the logs.</P><P></P><P>This is how i detect large uploads or large downloads</P><P></P><P>you can do the same with packet but bytes is easier imo.</P></BODY></HTML> Fri, 19 Dec 2014 04:33:28 GMT https://live.paloaltonetworks.com/t5/general-topics/active-session-traffic-seems-invisible-to-acc-any-way-to-see/m-p/44346#M32546 jkim2 2014-12-19T04:33:28Z