Reading the Expedition Log Analysis Guide (1.0.2), it has a tiny blurb about the "flow" in the Learning Results:
The Flow has been calculated after figure it out who are the servers on the networks.
In the resulting potential rules, there are mixes of "Client_to_Server" and "Server_to_Server". I import rules to my project and when merging rules to group similar sources or destinations together with common apps, I'm at a loss to understand how Expedition or PanOS calculated the flows. Case in point, I have many rules that come up when merging that all have same src zone, same dst zone, same apps, only src or dst hosts are different. Without knowing more about actual clients that are listed, I would be inclined to group them all in the same policy. But if PanOS or Expedition is seeing an OS fingerprint or something in the traffic and throwing the "client_to_server" or "server_to_client" flow and then tag onto the rule, I would consider leaving them separate.
Assuming same src/dst zones , what would make Expedition call one flow server to client or vice versa?
Expedition analyze multiple traffic flows based on source and destination ports , for example , traffic flows from multiple user machines (client ) src port (Random high range of ports) to a web server (server) on dst port (TCP port 443 ) . This will been identified as client to server flows. Hope this helps .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!