- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-06-2016 08:29 AM - edited 09-06-2016 08:30 AM
Which report, and what configuration should I use to get every user/source IP of a user using a specific application?
I currently tried "Device Traffic Summary" sorting by "bytes" top 5 grouping by user, but I can only have top 50. So only the "Top 50 users consuming the most bandwidth."
If I try ACC and target the application I can get top 500, but I'm sure there are more users than that, not to mention I'm trying to search over a week long period.
Thanks in advance.
09-06-2016 09:14 AM
So you would probably want to generate a custom report for this sort of thing and run from there. With that being said though you are still going to run into the top 500 limit from the best of my knowlege there is not a way to currently get anymore results than that.
09-08-2016 03:25 PM
Hello,
Not sure how often you need to run the report, however there is anotehr way to look. You can look at the traffic logs and just finter by application and then download the CSV. I know its not as clean as a report but may get you the data you are looking for?
Regards,
09-09-2016 11:24 AM
@OtakarKlier Didn't even think about that idea. That is probably the most accurate way that I can think of to pull the report. Although it's not exactly what I was looking for it'll get the job done for what I need.
I just can't understand though how this wouldn't be something native Palo can't do. I just can't imagine no one hasn't wanted this type of info before.
09-09-2016 11:33 AM
I'm sure there maybe a report that can be genereate, however I am not the greatest at reports :(.
09-09-2016 11:55 AM - edited 09-09-2016 11:57 AM
You can definitely do a custom report for this. Here's a quick example that will spit out a report of the top 500 users of the application "ssl" sorted by bandwidth consumed for a 24-hour period of time. In the Firewall GUI, go to Monitor / Manage Custom Reports. At the bottom of the screen, click "Add" and add a new custom report. Here's the settings I used:
Click the "OK" button to save the report. (I always click "run now", get my data, and then close the window without saving my reports). Once you've saved the definition, open the report back up and click "run now" to see the output. For this report, it should look like this. The source hostname field will populate if you have reverse DNS and/or firewall objects that map to those source addresses.
You could further refine the report to exclude externally-sourced traffic by adding to the traffic filter. Instead of just filtering on SSL as an application, you could do this:
(app eq ssl) and (zone.src eq trust)
If the list is larger than 500 entries, you could further segment your report with something like this:
09-09-2016 11:59 AM
(continued)
report 1 (app eq ssl) and (addr.src in 10.0.0.0/24)
report 2 (app eq ssl) and (addr.src in 10.0.1.0/24)
or even combinations of networks like:
report 3 (app eq ssl) and ((addr.src in 10.1.1.0/24) or (addr.src in 192.168.1.0/24))
Regardless of how you slice it up, you can export the results of your reports into CSV format and easily combine them into a single spreadsheet.
09-13-2016 06:47 AM - edited 09-13-2016 06:55 AM
Thanks so much for helping me figure out how to actually get the report built. Here's the rub though, I know beyond 1000% that the report will end up having more than 500 source IPs/users. I've got about 8,000-15,000 users a day on my network. I'm trying to understand "how many use Facebook."
I like your ingenuity using subnets to breakout the 500 user limit, but frankly the fact that Palo can't aggregate up users beyond 500 is just stupid. I don't have the time to breakout the 1000 or so subnets to mitigate the user count limit.
While I'd love to do this off a report I think the easiest way to get a raw count without running into a limit is like @OtakarKlier suggested. I'll just target a 7-day timeline focusing on the facbeook application.
From there I can export the traffic log to CSV then remove duplicates. This would allow me to get a number larger than 500 users/IPs.
09-13-2016 07:07 AM
I'll second the fact that PA should allow more than 500 results on a custom report; even when it comes to applications or connection attempts there are times where frankly 500 results can amount to an hours worth of results to particular applicaitons. As it sits when I run weekly reports that are very vague I run into an issue where I can't actually get all of the information in one run because I cross the 500 result limit, even with grouping and heavily segregating out the information that I actually need.
09-13-2016 07:36 AM - edited 09-13-2016 07:37 AM
Welp...No dice.
I exported a "7 day" traffic log view from Panorama and the CSV export stops at 65,535 entries. Doesn't even go past a single day. In-fact it doesn't go beyond 1 hour. That's pointless
09-13-2016 08:11 AM
You can change the max # rows output for CSV:
09-13-2016 08:39 AM - edited 09-13-2016 08:46 AM
09-13-2016 08:50 AM - edited 09-13-2016 08:53 AM
Sad day...Looks like I'm going to have to bump it down: Error from Excel (I had it set at 1048576, so I just bumped it down to 1048000) :
This message can appear due to one of the following:
The file contains more than 1,048,576 rows or 16,384 columns. To fix this problem, open the source file in a text editor such as Microsoft Word. Save the source file as several smaller files that conform to this row and column limit, and then open the smaller files in Microsoft Excel. If the source data cannot be opened in a text editor, try importing the data into Microsoft Access, and then exporting subsets of the data from Access to Excel.
The area that you are trying to paste the tab-delineated data into is too small. To fix this problem, select an area in the worksheet large enough to accommodate every delimited item.
Notes
Excel cannot exceed the limit of 1,048,576 rows and 16,384 columns.
By default, Excel places three worksheets in a workbook file. Each worksheet can contain 1,048,576 rows and 16,384 columns of data, and workbooks can contain more than three worksheets if your computer has enough memory to support the additional data.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!