09-26-2011 07:08 AM
Hi
We're trying to isolate the source of some high session traffic in one of our regions. This is showing up in our exterior firewall connection count, and also on our PA device which is in line.
I can see the sessions by using the command line tools and filtering to see which interface/zones/application they're from, but I can find no way of narrowing down which networks the sessions are coming from.
The IP information is available in the session info, but for instance I can't seem to do a search based on IP masks .e.g. "show session all count yes filter source 192.168.100.0/24" would show me a total session count for anything originating in that network - I'm limited to individual addresses. The same appears true for the Session Browser in the GUI.
Is there a way of filtering by source network for current session info? Can I export a session browser view and analyse it elsewhere? Any other ideas?
Regards
John Bousfield
09-27-2011 12:26 AM
if you are using plain /24 or /16 mask , you can use the match command :
e.g. :
show session all filter | match 192.168.1.
09-27-2011 02:15 AM
Hi
That's a useful command to know, but doesn't resolve my query unfortunately because I can't then do a count on that result. I just get a list of the matching entries.
I tried outputting the result of "show session all filter from zone_name" to log, then counting the lines, but they do not match the "count yes" argument results by a factor for 10 - e.g. lines are ~2000, count is 20,000. I'm not sure I can trust the results in that case
Any other alternatives?
Regards
John
09-27-2011 02:19 AM
I guess you could also make a dedicated (temporary) firewall rule for the specific traffic you are interested in and then do a :
show session all filter rule xxx
09-30-2011 11:31 AM
In the gui you can filter traffic using subnets. You can click on a sigle IP in the traffic log that is showing the behavior you are investigating to add it to the filter. Then edit the IP from 10.10.10.10 to 10.10.0.0/16.
The CLI does not support this.
Steve Krall
09-30-2011 08:40 PM
In "show session all filter ... " command, there is also count option.
Example:
admin@PAN> show session all filter count yes source 192.168.22.201
Number of sessions that match filter: 2
But you cannot do subnets with that and this only looks at sessions which are active at that time. Otherwise best option is to export your traffic logs as CSV and use MS Excel or similar to sort and count.
-Richard
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
