Find cause origin saturation interface

Reply
L3 Networker

Find cause origin saturation interface

image.pngimage.pngHi,

 

When we detect that a communications channel is saturated because someone or something is downloading a large file or occupying the entire bandwidth.

 

We do not know how to see in real time in the web interface of a PA-500 (firmware 7.1.6) that is happening.

 

It is only possible to see it once the communication has ended. That is, if I download a 100gb file. Until the file is downloaded

 

I tried it in  it in the "Monitor / Traffic" tab or in the ACC / Network Activity / Last 15 minutes tab.

 

I know that exporting the traffic through netflow to a program that analyzes this type of traffic is possible to see it.

 

Is there any way to see it in Palo Alto, even if it is by the command line?

 

Our intention is to know who or what protocol is occupying the traffic at the time of detecting it.

 

Thank yoScreenshot_1.jpgScreenshot_2.jpg


Accepted Solutions
L7 Applicator

ACC data is delayed by a bit. Its data comes from session logs, which only get recorded after the session has ended.

 

You can check the active sessions though, which will give you an idea of what's going on. It's available in the CLI and under Monitor > Session Browser. You won't be able to see only sessions over say 50GB, because the largest minimum size you can specify is 1GB.

 

In the Session Browser on the GUI, use this to see active sessions larger than 1 GB:

(min-kb eq '1000000')

 

Similarly, in the CLI, you can use:

show session all filter min-kb 1000000

View solution in original post

Cyber Elite

Hello,

Another option would be to use netflow. While you would have to setup a server for it, it will provide good details as to what you are looking for.

 

Regards,

View solution in original post

L4 Transporter

You can also enable QoS on a physical interface (you don't need to actually use it for anything, just enable it).  This will then activate a Statistics link on the Network --> QoS page for that interface.  If you click that link, you get a real-time view of the network traffic passing through that physical interface.  And there are sub-tabs in that dialog that shows the Applications, Source/Destination Users, Security Policies, and QoS Policies that are generating the traffic.  The data displayed is for the last 60 seconds worth of traffic, I believe.qos-dialog-1.png

 

qos-dialog-2.png

 

qos-dialog-3.png

 

View solution in original post


All Replies
L7 Applicator

ACC data is delayed by a bit. Its data comes from session logs, which only get recorded after the session has ended.

 

You can check the active sessions though, which will give you an idea of what's going on. It's available in the CLI and under Monitor > Session Browser. You won't be able to see only sessions over say 50GB, because the largest minimum size you can specify is 1GB.

 

In the Session Browser on the GUI, use this to see active sessions larger than 1 GB:

(min-kb eq '1000000')

 

Similarly, in the CLI, you can use:

show session all filter min-kb 1000000

View solution in original post

L7 Applicator

One easy way to see live interface utilization is Chrome addon called pan(w)achrome

This can show when utilization is up and then use commands @gwesson provided to find session.

 

Also good idea to apply QoS.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Cyber Elite

@Sistemas_SanLucar,

pan(w)achrome is really helpful in this situation and is something that can be easily monitored throughout the day to see if this is an actual issue, before you actually need to start monitoring through @gwesson commands. 

The best Idea though is to follow @Raido's suggestion and apply QoS to this traffic to avoid the problem in the first place. 

Cyber Elite

Hello,

Another option would be to use netflow. While you would have to setup a server for it, it will provide good details as to what you are looking for.

 

Regards,

View solution in original post

L3 Networker

Great!

 

Thank you

L4 Transporter

You can also enable QoS on a physical interface (you don't need to actually use it for anything, just enable it).  This will then activate a Statistics link on the Network --> QoS page for that interface.  If you click that link, you get a real-time view of the network traffic passing through that physical interface.  And there are sub-tabs in that dialog that shows the Applications, Source/Destination Users, Security Policies, and QoS Policies that are generating the traffic.  The data displayed is for the last 60 seconds worth of traffic, I believe.qos-dialog-1.png

 

qos-dialog-2.png

 

qos-dialog-3.png

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!