We're trying to isolate the source of some high session traffic in one of our regions. This is showing up in our exterior firewall connection count, and also on our PA device which is in line.
I can see the sessions by using the command line tools and filtering to see which interface/zones/application they're from, but I can find no way of narrowing down which networks the sessions are coming from.
The IP information is available in the session info, but for instance I can't seem to do a search based on IP masks .e.g. "show session all count yes filter source 192.168.100.0/24" would show me a total session count for anything originating in that network - I'm limited to individual addresses. The same appears true for the Session Browser in the GUI.
Is there a way of filtering by source network for current session info? Can I export a session browser view and analyse it elsewhere? Any other ideas?
That's a useful command to know, but doesn't resolve my query unfortunately because I can't then do a count on that result. I just get a list of the matching entries.
I tried outputting the result of "show session all filter from zone_name" to log, then counting the lines, but they do not match the "count yes" argument results by a factor for 10 - e.g. lines are ~2000, count is 20,000. I'm not sure I can trust the results in that case
Any other alternatives?
In "show session all filter ... " command, there is also count option.
admin@PAN> show session all filter count yes source 192.168.22.201
Number of sessions that match filter: 2
But you cannot do subnets with that and this only looks at sessions which are active at that time. Otherwise best option is to export your traffic logs as CSV and use MS Excel or similar to sort and count.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!