Network Outbound baseline.

Reply
L4 Transporter

Network Outbound baseline.

I need to provide a baseline of allowed traffic outbound for a period of time.

 

So to list

 

Client -> External Server [ Port/Application ]

 

Is there a report on the PA-3020 that can be crafted to do this

 

Thanks

 

 

Rob

L7 Applicator

Re: Network Outbound baseline.

Hello,

A 'User Activity Report' might be what you are after. But if its to a specific exteranl IP and/or port, a custom report might be a better method. If this is a one time thing, perhaps the Unified logs would give you what you are looking for?

 

Regards,

L7 Applicator

Re: Network Outbound baseline.

@RobinClayton,

Sure. I've provided a sample of a custom report that could be utilized for a 24hr period as an example. The example simply shows traffic going to opendns with the application being dns. 

      <entry name="Test-Outbound">
        <type>
          <trsum>
            <sortby>bytes</sortby>
            <group-by>dst</group-by>
            <aggregate-by>
              <member>from</member>
              <member>to</member>
              <member>app</member>
              <member>src</member>
            </aggregate-by>
            <values>
              <member>sessions</member>
              <member>bytes</member>
              <member>nunique-of-apps</member>
            </values>
          </trsum>
        </type>
        <period>last-24-hrs</period>
        <topn>500</topn>
        <topm>50</topm>
        <caption>Test-Outbound</caption>
        <query>(addr.src in 192.168.0.0/16) and ( (addr.dst eq 208.67.222.222) and (app eq dns) )</query>
      </entry>

 

Capture.PNG

L4 Transporter

Re: Network Outbound baseline.

I need all unique instances of allowed traffic.

 

192.168.1.5 - 8.8.8.8 - DNS

192.168.1.5 - 8.8.4.4 - DNS

192.168.1.6 - 8.8.8.8 - DNS

192.168.1.5 - 8.8.8.8 - https

192.168.1.5 - 8.8.8.8 - DNS

192.168.1.6 - 178.16.40.90 - https

192.168.1.6 - 8.8.8.8 - DNS

 

So that no entries are repeated.

 

 

L7 Applicator

Re: Network Outbound baseline.

@RobinClayton,

Really isn't an amazing way to do this from a custom report then. Since you are locating DNS traffic you're going to be looking at a lot of sessions and you'll quickly reach the limits on how large the custom reports can actually be. Your best bet to fullfil this is likely going to be simply filtering the 'traffic' or 'unified' logs and simply exporting the results. 

Depending on what you are looking to do with this information you could simply seperate the queries based off of source address, or run all the queries individually. 

( ( addr.src in 192.168.1.5 ) and ( addr.dst in 8.8.8.8 ) and ( app eq dns ) ) or ( ( addr.src in 192.168.1.5 ) and ( addr.dst in 8.8.4.4 ) and ( app eq dns ) ) or ( ( addr.src in 192.168.1.6 ) and ( addr.dst in 8.8.8.8 ) and ( app eq dns ) ) or ( ( addr.src in 192.168.1.5 ) and ( addr.dst in 8.8.8.8 ) and ( port.dst eq 443 ) ) or ( ( addr.src in 192.168.1.6 ) and ( addr.dst in 178.16.40.90 ) and ( port.dst eq 443 ) )

 

You'll notice that the queries for the https traffic I simply did a destination port of 443. This is because I simply didn't know what the application would usually return as. Likely the app would be SSL on either, but you'd either want to run it simply as the dst port search or actually verify in the logs what that traffic is getting identified as and switch it out in the query.   

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!