topic Re: Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ? in General Topics

Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ?

mpgioia — Sun, 04 Jun 2017 10:59:16 GMT

Hi all,

I have a simple 'tenanted' environment. A /24 subnet represents a tenant behind the trust of my PAN.

I want a simple report that shows 'traffic' over the last calendar month of that /24.

I think this is simple by applying a 'monitor tag' per subnet. And then tagging my basic permit rules that match that source condition match of that /24 with that 'monitor tag'.

But this 'sort by' and 'group by' is annoying. I don't want to sort or group by anything.

I literally want a 'database = traffic' based custom report where selected columns are (top down)

- Monitor Tag

- Source address

- Destination address

- Bytes

with no grouping.

See what i'm trying to do ?

The sort by is giving me a finite display of rows. I just want a total bytes of every vlan/subnet.

Any suggestions from the community ?

Re: Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ?

Remo — Sun, 04 Jun 2017 17:59:30 GMT

I'm not sure if I understood your requirements correctly. Do you need almost the raw traffic log? Or the cumulated traffic/bytes per src:dst ip pair? Or more like subnet:dst ip pair?

Re: Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ?

mpgioia — Mon, 05 Jun 2017 01:16:40 GMT

I'd love to be able to,

1. Tag all my policies that match a source condition of a tenant /24 with a tag. I.e. (Some have some whitelisting of 'org wide prohibited apps' , above an org wide block list of say spotify, etc) .. so would have 2 or 3 rules above & beyond the sourceNAT allow at the bottom.

2. then based on that tag want to build a custom report of cumulative BYTES showing columns of, 1. That tag, 2. Source IP, 3. Destination IP, 4. Bytes for 'calendar month'.

3. no grouping or filtering. Just cumulative BYTES on that tag. If I have 100 tags then I have 100 rows.

100 rows, 4 columns.

If I tack on additional tenants.. then rows will grow, but 4 columns remain/are static.

Re: Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ?

Remo — Mon, 05 Jun 2017 10:34:48 GMT

What if you set the group by to "Rule", and the number to as many as you need and add the columns "rule" and "bytes" to the report. This way (if you have only one rule / tenant) it will give you what you need right?

But I assume that you have more than one rule / tenant, so to get exactly what you need I think you have the following options:

Use an external log analyzing software like splunk
Create 1 custom report / tenant, collect the outputs with a script periodically with the API and let the same script merge the outputs from the different custom reports to one file (for example csv)
Use the API to build a totally custom solution where you create a script to parse the logs anf get the information you need do things like cumulating the bytes for every entry / tenant
Reach out to your SE to create a Feature Request and wait ...

Re: Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ?

mpgioia — Mon, 05 Jun 2017 11:35:28 GMT

I reckon Ileveraging the API is the best bet.

But tell me.. how does the 'Monitor Tag' work ?

That will be key in querying against when parsing and summating manually in the API... me thinks (for my use case/requirement for the report).

But the reference to the humble 'tag' in PANOS 8.0 doco references it only to 'SaaS Application Usage' ? 😕

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/objects/objects-tags

Re: Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ?

Remo — Mon, 05 Jun 2017 11:58:27 GMT

These tags are only for tagging objects/rule. This way you are able to search after a tag and your firewall/panorama will show all related things. Or to as you probably meant, create a tag / tenant and use this tag to identify the specific tenantrules. The tags cannot be used for log querys.

But if you go the way with the API you have to use the filter (addr.src in tenant/24) and then use the logs returned by the API to calculate the things you need.

Here is a very simplified option how I think this can be solved (pseudo code):

$logs = get-fw-logs((addr.src in 10.0.0.0/24) and (action eq allow))

[int64]$bytes

Foreach ($entry in $logs) {

$bytes += $entry.bytes

}

Depending on how many logs you have there will also be some more problems because the API will return entrys up to a specified max. (Which I can't remember right now). So you probably have to issue more than one query to get all logs you need.