topic Network Outbound baseline. in General Topics

Network Outbound baseline.

RobinClayton — Fri, 12 Jan 2018 17:10:08 GMT

I need to provide a baseline of allowed traffic outbound for a period of time.

So to list

Client -> External Server [ Port/Application ]

Is there a report on the PA-3020 that can be crafted to do this

Thanks

Rob

Re: Network Outbound baseline.

OtakarKlier — Fri, 12 Jan 2018 17:20:06 GMT

Hello,

A 'User Activity Report' might be what you are after. But if its to a specific exteranl IP and/or port, a custom report might be a better method. If this is a one time thing, perhaps the Unified logs would give you what you are looking for?

Regards,

Re: Network Outbound baseline.

BPry — Fri, 12 Jan 2018 18:12:29 GMT

@RobinClayton,

Sure. I've provided a sample of a custom report that could be utilized for a 24hr period as an example. The example simply shows traffic going to opendns with the application being dns.

      <entry name="Test-Outbound">
        <type>
          <trsum>
            <sortby>bytes</sortby>
            <group-by>dst</group-by>
            <aggregate-by>
              <member>from</member>
              <member>to</member>
              <member>app</member>
              <member>src</member>
            </aggregate-by>
            <values>
              <member>sessions</member>
              <member>bytes</member>
              <member>nunique-of-apps</member>
            </values>
          </trsum>
        </type>
        <period>last-24-hrs</period>
        <topn>500</topn>
        <topm>50</topm>
        <caption>Test-Outbound</caption>
        <query>(addr.src in 192.168.0.0/16) and ( (addr.dst eq 208.67.222.222) and (app eq dns) )</query>
      </entry>

Re: Network Outbound baseline.

RobinClayton — Mon, 15 Jan 2018 09:32:35 GMT

I need all unique instances of allowed traffic.

192.168.1.5 - 8.8.8.8 - DNS

192.168.1.5 - 8.8.4.4 - DNS

192.168.1.6 - 8.8.8.8 - DNS

192.168.1.5 - 8.8.8.8 - https

~~192.168.1.5 - 8.8.8.8 - DNS~~

192.168.1.6 - 178.16.40.90 - https

~~192.168.1.6 - 8.8.8.8 - DNS~~

So that no entries are repeated.

Re: Network Outbound baseline.

BPry — Mon, 15 Jan 2018 13:52:04 GMT

@RobinClayton,

Really isn't an amazing way to do this from a custom report then. Since you are locating DNS traffic you're going to be looking at a lot of sessions and you'll quickly reach the limits on how large the custom reports can actually be. Your best bet to fullfil this is likely going to be simply filtering the 'traffic' or 'unified' logs and simply exporting the results.

Depending on what you are looking to do with this information you could simply seperate the queries based off of source address, or run all the queries individually.

( ( addr.src in 192.168.1.5 ) and ( addr.dst in 8.8.8.8 ) and ( app eq dns ) ) or ( ( addr.src in 192.168.1.5 ) and ( addr.dst in 8.8.4.4 ) and ( app eq dns ) ) or ( ( addr.src in 192.168.1.6 ) and ( addr.dst in 8.8.8.8 ) and ( app eq dns ) ) or ( ( addr.src in 192.168.1.5 ) and ( addr.dst in 8.8.8.8 ) and ( port.dst eq 443 ) ) or ( ( addr.src in 192.168.1.6 ) and ( addr.dst in 178.16.40.90 ) and ( port.dst eq 443 ) )

You'll notice that the queries for the https traffic I simply did a destination port of 443. This is because I simply didn't know what the application would usually return as. Likely the app would be SSL on either, but you'd either want to run it simply as the dst port search or actually verify in the logs what that traffic is getting identified as and switch it out in the query.