Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom Report; 'bytes' per 'vlan'/ '/24 subnet' with ? monitor tag ?

L3 Networker

Hi all,

 

I have a simple 'tenanted' environment.  A /24 subnet represents a tenant behind the trust of my PAN.

I want a simple report that shows 'traffic' over the last calendar month of that /24.

I think this is simple by applying a 'monitor tag' per subnet.  And then tagging my basic permit rules that match that source condition match of that /24 with that 'monitor tag'.

But this 'sort by' and 'group by' is annoying.  I don't want to sort or group by anything.

I literally want a 'database = traffic' based custom report where selected columns are (top down)

- Monitor Tag

- Source address

- Destination address

- Bytes

with no grouping.

 

See what i'm trying to do ?

The sort by is giving me a finite display of rows.  I just want a total bytes of every vlan/subnet.

Any suggestions from the community ?

 

 

Untitled.png

1 accepted solution

Accepted Solutions

These tags are only for tagging objects/rule. This way you are able to search after a tag and your firewall/panorama will show all related things. Or to as you probably meant, create a tag / tenant and use this tag to identify the specific tenantrules. The tags cannot be used for log querys.

But if you go the way with the API you have to use the filter (addr.src in tenant/24) and then use the logs returned by the API to calculate the things you need.

 

Here is a very simplified option how I think this can be solved (pseudo code):

 

$logs = get-fw-logs((addr.src in 10.0.0.0/24) and (action eq allow))

[int64]$bytes

Foreach ($entry in $logs) {

$bytes += $entry.bytes

}

 

Depending on how many logs you have there will also be some more problems because the API will return entrys up to a specified max. (Which I can't remember right now). So you probably have to issue more than one query to get all logs you need.

 

View solution in original post

5 REPLIES 5

L7 Applicator

I'm not sure if I understood your requirements correctly. Do you need almost the raw traffic log? Or the cumulated traffic/bytes per src:dst ip pair? Or more like subnet:dst ip pair?

I'd love to be able to,

1. Tag all my policies that match a source condition of a tenant /24 with a tag.  I.e. (Some have some whitelisting of 'org wide prohibited apps' , above an org wide block list of say spotify, etc) .. so would have 2 or 3 rules above & beyond the sourceNAT allow at the bottom.

2. then based on that tag want to build a custom report of cumulative BYTES showing columns of, 1. That tag, 2. Source IP, 3. Destination IP, 4. Bytes for 'calendar month'.

3. no grouping or filtering.  Just cumulative BYTES on that tag.  If I have 100 tags then I have 100 rows.

100 rows, 4 columns.

If I tack on additional tenants.. then rows will grow, but 4 columns remain/are static.

What if you set the group by to "Rule", and the number to as many as you need and add the columns "rule" and "bytes" to the report. This way (if you have only one rule / tenant) it will give you what you need right?

 

But I assume that you have more than one rule / tenant, so to get exactly what you need I think you have the following options:

  • Use an external log analyzing software like splunk
  • Create 1 custom report / tenant, collect the outputs with a script periodically with the API and let the same script merge the outputs from the different custom reports to one file (for example csv)
  • Use the API to build a totally custom solution where you create a script to parse the logs anf get the information you need do things like cumulating the bytes for every entry / tenant
  • Reach out to your SE to create a Feature Request and wait ...

I reckon Ileveraging the API is the best bet.

But tell me.. how does the 'Monitor Tag' work ?

That will be key in querying against when parsing and summating manually in the API... me thinks (for my use case/requirement for the report).

But the reference to the humble 'tag' in PANOS 8.0 doco references it only to 'SaaS Application Usage' ? 😕

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/objects/objects-tags

These tags are only for tagging objects/rule. This way you are able to search after a tag and your firewall/panorama will show all related things. Or to as you probably meant, create a tag / tenant and use this tag to identify the specific tenantrules. The tags cannot be used for log querys.

But if you go the way with the API you have to use the filter (addr.src in tenant/24) and then use the logs returned by the API to calculate the things you need.

 

Here is a very simplified option how I think this can be solved (pseudo code):

 

$logs = get-fw-logs((addr.src in 10.0.0.0/24) and (action eq allow))

[int64]$bytes

Foreach ($entry in $logs) {

$bytes += $entry.bytes

}

 

Depending on how many logs you have there will also be some more problems because the API will return entrys up to a specified max. (Which I can't remember right now). So you probably have to issue more than one query to get all logs you need.

 

  • 1 accepted solution
  • 5506 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!