topic Re: How to find source of high open sessions and/or throughput in General Topics

How to find source of high open sessions and/or throughput

jambulo — Fri, 30 Oct 2015 14:04:16 GMT

If your Palo Alto firewall is experiencing an unusually high OPEN session count, and/or high throughput, what is the best way to determine the source or destination at the same time of the event?

We have most of our security rules set to log at session end, so doing research on open sessions makes it a little harder. I have confirmed that the ACC tab does not show data for open sessions either. The Session Browser isn't too helpful because 1) you can't search by Start Time, 2) it only shows up to 2048 open sessions, 3) you can't export the results, 4) it's hard to pinpoint a specific source or destination IP.

Re: How to find source of high open sessions and/or throughput

Raido_Rattameister — Sun, 01 Nov 2015 20:56:20 GMT

So all new sessions last long and don't expire to get log into traffic log?

You should enable syn cookies on zone protection profile. Then you have log when treshold is reached.

Monitor > App scope > Change monitor should show latest changes.

You can create custom report to show packet count and if you order by quarter hour to see if any anomalies.

Pan(w)achrome Chrome plugin shows really high overview in real time (source/destination physical/logical interface with packet/throughput count).

Re: How to find source of high open sessions and/or throughput

pulukas — Tue, 03 Nov 2015 12:39:30 GMT

I feel your pain, live with logging at session end the session table is your only options.

At times when we have had recurring issues like this we add log at session start to the most likely rule candidates based on the post event logging that we do have. These are then much easier to filter when it comes around the next time.

Re: How to find source of high open sessions and/or throughput

jambulo — Mon, 10 Apr 2017 19:07:33 GMT

I need to resurrect this issue back from the dead. We monitor our PA's with SNMP, and when the Session Count and/or Connection Rate increases to a number above normal, it's always a struggle to find the source of the problem using the PA interface. Anyone have any tips?

Here's an example:

Our SNMP monitoring tool clearly shows a spike/hump in Open (TCP) Sessions...

The ACC tab does not reveal that there were any indications of a spike in traffic.

Re: How to find source of high open sessions and/or throughput

soporteseguridad — Tue, 16 May 2017 12:23:53 GMT

We have the same issue with PA-5050 v7.1.7. Monitoring through SNMP shows incorrect session values that do not match the ones shown by the firewall on CLI. It seems a bug with the panSessionActive OID.

Re: How to find source of high open sessions and/or throughput

nextgenhappines — Thu, 18 May 2017 10:59:21 GMT

I am thinking to setup a netflow collector. I am hoping Netflow may provide a closer to "real time" usage. Any comments or suggestion on netflow ?