Current session/connection information by subnet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Current session/connection information by subnet

Not applicable

Hi

We're trying to isolate the source of some high session traffic in one of our regions. This is showing up in our exterior firewall connection count, and also on our PA device which is in line.

I can see the sessions by using the command line tools and filtering to see which interface/zones/application they're from, but I can find no way of narrowing down which networks the sessions are coming from.

The IP information is available in the session info, but for instance I can't seem to do a search based on IP masks .e.g. "show session all count yes filter source 192.168.100.0/24" would show me a total session count for anything originating in that network - I'm limited to individual addresses. The same appears true for the Session Browser in the GUI.

Is there a way of filtering by source network for current session info? Can I export a session browser view and analyse it elsewhere? Any other ideas?

Regards

John Bousfield

5 REPLIES 5

L3 Networker

if you are using plain /24 or /16 mask , you can use the match command :

e.g. :

show session all filter | match 192.168.1.

Hi

That's a useful command to know, but doesn't resolve my query unfortunately because I can't then do a count on that result. I just get a list of the matching entries.

I tried outputting the result of "show session all filter from zone_name" to log, then counting the lines, but they do not match the "count yes" argument results by a factor for 10 - e.g. lines are ~2000, count is 20,000. I'm not sure I can trust the results in that case

Any other alternatives?

Regards

John

I guess you could also make a dedicated (temporary) firewall rule for the specific traffic you are interested in and then do a :

show session all filter rule xxx

L4 Transporter

In the gui you can filter traffic using subnets. You can click on a sigle IP  in the traffic log that is showing the behavior you are investigating to add it to the filter. Then edit the IP from 10.10.10.10 to 10.10.0.0/16.

The CLI does not support this.

Steve Krall

Retired Member
Not applicable

In "show session all filter ... " command, there is also count option.

Example:

admin@PAN> show session all filter count yes source 192.168.22.201
Number of sessions that match filter: 2

But you cannot do subnets with that and this only looks at sessions which are active at that time. Otherwise best option is to export your traffic logs as CSV and use MS Excel or similar to sort and count.

-Richard

  • 3960 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!