https://live.paloaltonetworks.com/t5/general-topics/traffic-report-how-much-destination-hosts-contacted/m-p/7273#M5388 <HTML><HEAD></HEAD><BODY><P>I'm not sure if the API specifically reports on session information, but there is a PAN API that exposes a bunch of information. Here's an overview:</P><P></P><P><A __default_attr="1583" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P></P><P>Also here is the XML API documentation:</P><P></P><P><A __default_attr="4126" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P></P><P></P><P>I'm betting that what you're requesting is possible with the API... possibly combined with a custom report built on the firewall and then 'pulling' that report via the API</P></BODY></HTML> Sun, 17 Feb 2013 02:23:47 GMT ericgearhart 2013-02-17T02:23:47Z https://live.paloaltonetworks.com/t5/general-topics/traffic-report-how-much-destination-hosts-contacted/m-p/7272#M5387 <HTML><HEAD></HEAD><BODY><P>Hi Community!</P><P></P><P>There is a predefined traffic report "Connections": It shows per row how much connections (sessions) a source host has made to a specific destination host. </P><P></P><P>Is it possible to create a report which shows per row how much distinct destination hosts a source host has contacted? This could be useful for example to recognize if a source host is scanning a lot of different destinations.</P><P></P><P>Let me explain it further.</P><P></P><P>The "Connections" report shows:</P><P></P><TABLE border="1" class="jiveBorder" height="147.66666662693024" style="border: 1px solid rgb(0, 0, 0); width: 256.66666662693024px; height: 145.66666662693024px;"><TBODY><TR><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle">Source Host</TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>Destination Host</STRONG></TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>Sessions</STRONG></TH></TR><TR><TD style="padding: 2px;">SrcA</TD><TD style="padding: 2px;">DstA</TD><TD style="padding: 2px;">50</TD></TR><TR><TD>SrcB</TD><TD>DstB</TD><TD>40</TD></TR><TR><TD>SrcA</TD><TD>DstC</TD><TD>30</TD></TR><TR><TD>SrcB</TD><TD>DstA</TD><TD>20</TD></TR><TR><TD>SrcB</TD><TD>DstD</TD><TD>10</TD></TR></TBODY></TABLE><P></P><P>I was trying to create a report like this:</P><P></P><TABLE border="1" class="jiveBorder" height="73.66666662693024" style="border: 1px solid #000000; width: 280.66666662693024px; height: 73.66666662693024px;" width="279.66666662693024"><TBODY><TR><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>Source Host</STRONG></TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle">Destination Hosts Contacted</TH></TR><TR><TD style="padding: 2px;">SrcB</TD><TD style="padding: 2px;">3</TD></TR><TR><TD style="padding: 2px;">SrcA</TD><TD style="padding: 2px;">2</TD></TR></TBODY></TABLE><P></P><P>Do you think this is possible?</P><P>Is there a way to query the database(s) in the PA directly (via SQL)?</P><P></P><P>Thanks in advance!</P><P>E.</P><P></P><P>Model: PA-5020</P><P>Software version: 5.0.2</P></BODY></HTML> Sat, 16 Feb 2013 21:22:48 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-report-how-much-destination-hosts-contacted/m-p/7272#M5387 E 2013-02-16T21:22:48Z https://live.paloaltonetworks.com/t5/general-topics/traffic-report-how-much-destination-hosts-contacted/m-p/7273#M5388 <HTML><HEAD></HEAD><BODY><P>I'm not sure if the API specifically reports on session information, but there is a PAN API that exposes a bunch of information. Here's an overview:</P><P></P><P><A __default_attr="1583" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P></P><P>Also here is the XML API documentation:</P><P></P><P><A __default_attr="4126" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></P><P></P><P></P><P>I'm betting that what you're requesting is possible with the API... possibly combined with a custom report built on the firewall and then 'pulling' that report via the API</P></BODY></HTML> Sun, 17 Feb 2013 02:23:47 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-report-how-much-destination-hosts-contacted/m-p/7273#M5388 ericgearhart 2013-02-17T02:23:47Z https://live.paloaltonetworks.com/t5/general-topics/traffic-report-how-much-destination-hosts-contacted/m-p/7274#M5389 <HTML><HEAD></HEAD><BODY><P>Dear egearhart!</P><P></P><P>I followed your advice and browsed the REST API.</P><P></P><P>There are three types of reports you can get with it:</P><P></P><UL><LI>Dynamic Reports: They are predefined and you can only set the timeframe and the number of rows. There is no connection report or the like.</LI><LI>Predefined Reports: These are the same predefined reports you can via the web page, including the top-connections report i mentioned.</LI><LI>Custom Reports: You can get retrieve the results of custom reports. But you have to create this report on the webpage.</LI></UL><P></P><P>I also could not find a way to query the traffic databases on the PA with SQL via the REST API.</P><P></P><P>So the question still persists: Has&nbsp; someone an idea how to create a custom report which counts the destination hosts a source host contacted?</P><P></P><P>Otherwise the only way to create such a report would be to retrieve the traffic log of the last day somehow, feed it into a database (such as MySQL) and do the queries there. </P><P></P><P>Since 5.0.0 you can retrieve logs via REST API. But there is a maximum of 5000 rows. Is there another way?</P></BODY></HTML> Sun, 17 Feb 2013 19:40:03 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-report-how-much-destination-hosts-contacted/m-p/7274#M5389 E 2013-02-17T19:40:03Z