Active session traffic seems invisible to ACC. Any way to see bytes transferred of active sessions in a period of time? (Not using network monitor)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Active session traffic seems invisible to ACC. Any way to see bytes transferred of active sessions in a period of time? (Not using network monitor)

L2 Linker

Here's the scenario:

1)  1 week ago, a session from 10.1.1.1 and 10.2.2.2 is established.  Normally, data transfer is very low.

2)  Within that session, 100GB of data is suddenly transferred one day between 6pm and 7pm, pegging the site's Internet bandwidth.

3)  The data transfer becomes very low again after the burst. The session doesn't terminate until 1 week later.

Observations:

- If we look at ACC during that 1 hour burst, the traffic doesn't show up at all.

- If we look at the session browser, all we see is total transferred bytes since the session was established.

Question:

- When we try to figure out what's using up the bandwidth in a particular time frame, how can we see bytes transferred and source/destination IPs for established sessions that remain active?

(The Network Monitor is horribly inflexible and doesn't produce enough detail to be useful in our actual scenario)

1 accepted solution

Accepted Solutions

My understanding is that ACC is based upon log data; and the log entry with the amount of data transferred is only created at session end - so ACC (and Traffic Logs) are no use mid-way through a flow.

Exporting Netflow data from your firewall to a Netflow collector is most likely the answer to this problem.  I'd hope that PA's Netflow implementation will send out flow entries for in-progress sessions - but I've not used Netflow on PA to confirm.

View solution in original post

5 REPLIES 5

L1 Bithead

Hello Ryan,

I am not sure if we can get proper information for that particular hour .

But you can try one thing. You can create a report for this particular source and destination address. I hope this will give you some information .

report.JPG

From the available column you can select source address, destination address, hour ,application , bytes sent,bytes received.

In the query builder you can specify the specific source and destination address.

So you will have to generate multiple reports with different time frames like 24 hours , one week . Test with different columns too.

I am not sure if  we will be able to find out something specific for this time , but for future if you want to track something like this for the previous one hour or six hours, 12 hours ,we can do that .

Let me know if it was helpful ..

Thank you

The problem is, we don't know what IPs we need to investigate.  The ultimate question is, how can we accurately see bytes transferred (and source/destination IPs) in a given period of time?  The data transferred with established (non-terminated) sessions don't show up in any report, which could be a huge missing piece.

My understanding is that ACC is based upon log data; and the log entry with the amount of data transferred is only created at session end - so ACC (and Traffic Logs) are no use mid-way through a flow.

Exporting Netflow data from your firewall to a Netflow collector is most likely the answer to this problem.  I'd hope that PA's Netflow implementation will send out flow entries for in-progress sessions - but I've not used Netflow on PA to confirm.

In what I've seen so far, I think you are correct--only Netflow can provide what we need here.  A shame that's not built-in to Panorama.

if its a long session it won't log until the session closes so make sure log at session start & log at session end are both selected for the rule.

Try this as well

Go to the traffic logs and enable views for 'bytes sent' 'bytes received' , packets sent & packets received

set the filter to 'bytes geg 10000000' will show you bytes uploads greater than 10mb

unit is in bytes

geq = greater than or equal

leq = less than or equal

you can also use 'bytes_sent geg 1000' or 'bytes_received geq'1000'

this will show all traffic that had a bytes sent greater than 100kb you can also increase decrease and continue to filter down in the logs.

This is how i detect large uploads or large downloads

you can do the same with packet but bytes is easier imo.

  • 1 accepted solution
  • 5507 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!