06-04-2017 03:50 AM - edited 06-04-2017 03:59 AM
Hi all,
I have a simple 'tenanted' environment. A /24 subnet represents a tenant behind the trust of my PAN.
I want a simple report that shows 'traffic' over the last calendar month of that /24.
I think this is simple by applying a 'monitor tag' per subnet. And then tagging my basic permit rules that match that source condition match of that /24 with that 'monitor tag'.
But this 'sort by' and 'group by' is annoying. I don't want to sort or group by anything.
I literally want a 'database = traffic' based custom report where selected columns are (top down)
- Monitor Tag
- Source address
- Destination address
- Bytes
with no grouping.
See what i'm trying to do ?
The sort by is giving me a finite display of rows. I just want a total bytes of every vlan/subnet.
Any suggestions from the community ?
06-05-2017 04:58 AM
These tags are only for tagging objects/rule. This way you are able to search after a tag and your firewall/panorama will show all related things. Or to as you probably meant, create a tag / tenant and use this tag to identify the specific tenantrules. The tags cannot be used for log querys.
But if you go the way with the API you have to use the filter (addr.src in tenant/24) and then use the logs returned by the API to calculate the things you need.
Here is a very simplified option how I think this can be solved (pseudo code):
$logs = get-fw-logs((addr.src in 10.0.0.0/24) and (action eq allow))
[int64]$bytes
Foreach ($entry in $logs) {
$bytes += $entry.bytes
}
Depending on how many logs you have there will also be some more problems because the API will return entrys up to a specified max. (Which I can't remember right now). So you probably have to issue more than one query to get all logs you need.
06-04-2017 10:59 AM
I'm not sure if I understood your requirements correctly. Do you need almost the raw traffic log? Or the cumulated traffic/bytes per src:dst ip pair? Or more like subnet:dst ip pair?
06-04-2017 06:16 PM
I'd love to be able to,
1. Tag all my policies that match a source condition of a tenant /24 with a tag. I.e. (Some have some whitelisting of 'org wide prohibited apps' , above an org wide block list of say spotify, etc) .. so would have 2 or 3 rules above & beyond the sourceNAT allow at the bottom.
2. then based on that tag want to build a custom report of cumulative BYTES showing columns of, 1. That tag, 2. Source IP, 3. Destination IP, 4. Bytes for 'calendar month'.
3. no grouping or filtering. Just cumulative BYTES on that tag. If I have 100 tags then I have 100 rows.
100 rows, 4 columns.
If I tack on additional tenants.. then rows will grow, but 4 columns remain/are static.
06-05-2017 03:34 AM
What if you set the group by to "Rule", and the number to as many as you need and add the columns "rule" and "bytes" to the report. This way (if you have only one rule / tenant) it will give you what you need right?
But I assume that you have more than one rule / tenant, so to get exactly what you need I think you have the following options:
06-05-2017 04:35 AM
I reckon Ileveraging the API is the best bet.
But tell me.. how does the 'Monitor Tag' work ?
That will be key in querying against when parsing and summating manually in the API... me thinks (for my use case/requirement for the report).
But the reference to the humble 'tag' in PANOS 8.0 doco references it only to 'SaaS Application Usage' ? 😕
https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/objects/objects-tags
06-05-2017 04:58 AM
These tags are only for tagging objects/rule. This way you are able to search after a tag and your firewall/panorama will show all related things. Or to as you probably meant, create a tag / tenant and use this tag to identify the specific tenantrules. The tags cannot be used for log querys.
But if you go the way with the API you have to use the filter (addr.src in tenant/24) and then use the logs returned by the API to calculate the things you need.
Here is a very simplified option how I think this can be solved (pseudo code):
$logs = get-fw-logs((addr.src in 10.0.0.0/24) and (action eq allow))
[int64]$bytes
Foreach ($entry in $logs) {
$bytes += $entry.bytes
}
Depending on how many logs you have there will also be some more problems because the API will return entrys up to a specified max. (Which I can't remember right now). So you probably have to issue more than one query to get all logs you need.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
