04-07-2015 06:11 AM
If a Palo Alto firewall is experiencing high throughput, what's the best way to find the source user/IP while the high throughput is occurring?
We have all of our security policies set to log on session end, so that traffic log wouldn't help since the session would still be open.
The Session Browser kind of helps, but the inability to filter for time and the maximum size for the "bytes" filter being 1GB makes it so I still need to comb through a lot of open sessions.
04-10-2015 07:45 AM
Hi,
For the source users, you can go in the Network tab, then click on QoS on the left and click on the Statistics link of the interface you want to inspect. In the popup window, click on the Source Users tab and you should see recent egress bandwidth per user. You probably guessed it will only work if QoS is activated on the corresponding interface. It's not perfect, but it's better than nothing.
Regards,
Benjamin
04-10-2015 09:11 AM
I highly recommend that you start in the ACC. (second tab in the GUI)
Make sure that you adjust the time, choose bytes and then how many lines and hit the green arrow to the right ->
From there you can continue to drill down on the application, then the user, etc, etc, it will be very telling, and you will find yourself coming back to the ACC a lot after this.
I hope this helps,
Joe Delio
Community Team
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
