06-17-2016 07:50 AM - edited 06-17-2016 02:02 PM
Hi,
Issue:
Lets say we filter out web-browsing in ACC to check the traffic amount used by that specific app.
We check three different ranges:
... and now we select Week1+Week2+Week3 custom range, basically it contains everything within these weeks.
Gives a feeling like the result is Week1+Week3, with Week 2 somehow excluded.
Next: Lets take Week2+Week3 as a custom range:
Next: Week1+Week2 as a custom range:
So, do you have any idea guys, why that summed up scenario gives us wrong result if seperately numbers seem fine?
Tested on 7.0.2, but quicly checked that out on 7.1.2 - looked like it has similar result.
I've checked other Live articles, but they are mostly talking about differences in stats from different databases, but in this case, as far as my understanding goes, data is gathered from traffic summary database (I guess weeklytrsum), so the source should be same same. And, yes, you can reproduce the same by generating a Custom Report with the same parameters from Traffic Summary database.
06-20-2016 04:44 AM
Are you possibly hitting the 100k line limit ?
In scenarios where the 100k lines limit is reached some of the information will not be displayed on the ACC or data may be inaccurate :
ACC-is-Not-Accurate-During-Heavy-Traffic-Log-Generation
Eitherway, I've tested this in a small lab and cannot confirm the behaviour you're seeing.
Everything adds up nicely for 3 weeks in my lab.
06-20-2016 06:30 AM
Thanks for your input, looked at this article previously, but not sure if that applies to this case - the traffic is stored within that database already (I suppose weeklytrsum), so the 100k line limit should not be the problem, because if trying the to sum it up part by part - it seems fine, so the information is there and recorded. I have a feeling is a matter of how its processed in ACC, but still just a guess. I will try that on one more Palo today, so will update later.
06-20-2016 10:38 AM
@nikoo What platform? I've got similar issues, but it only occurs when trying to view logs in Panorama on logs fed from my 5060.
06-21-2016 12:32 AM - edited 06-21-2016 01:58 AM
As far as I've looked, it happens on 5020 (7.1.2), 3020 (7.0.6, much more less deviation here, but it may be matter of sample taken), 3020 (7.0.2), 5020 (6.1.11). I guess it is a PAN limitation, and it may be the one Kiwi mentioned, but, well, that sucks. It may be different story with Panorama, but again - just guessing.
Edit: Just tested on my lab box - 3050 with 7.1.2 - traffic there is generated rarely and the result for filtering out ssl traffic:
Week1 - 192.2 MB & 9.5k sessions
Week2 - 154.2 & 19.2k sessions
Week3 - 314MB & 28.6k sessions
-----
And when range is expanded to Week1+Week2+Week3 we get 707 MB & 66.9k sessions, although manual sum counts up 661 MB & 57.3k sessions. Meh.
06-21-2016 08:50 AM - edited 06-21-2016 08:53 AM
I just tried this on a VM-300 running 7.1.2:
week1 115.9G + 79.3k sessions
week2 230.7G + 154.4k sessions
week3 133.2G + 112.8k sessions
Then I selected a custom range that included all 3 weeks:
- 479.9G + 347.0k sessions
Lines right up for me.
(edit: I'm not saying that you're not experiencing a problem... just wanted to put in my .02 and let you know that it's not all platforms or all software versions).
06-25-2016 05:06 AM
Isn't ACC only report those sessions closed during the time period that selected and the policies that are logged ?
If the sessions are long live (sessions that are started for 4 weeks ago and transfer data in a pretty slow rate), when those sessions are closed, it will show up on ACC report.
E
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
