08-10-2016 09:33 PM
I got why huge traffic is coming to port 3978.Application is identified as Panorama.
Its hge Gbs of traffic in one session.
The source IP is firewall management Ip and destination is Panorama IP.
But why i need to kill this session means, we have a setup of 2 ISPs. We prefere this traffic should go through 1 ISP only one ISP.
Tht we accomplish through PBF ruless to 1 ISP.we use port in PBF. However there are 2 issues in this:
1) As per PBF session, first few packets will go thorgh normal routing table and wont take PBF. untill the aplication identified. in this case as it is Panorama traffc it is never ending traffic.
So this stayes at 1 ISP only( Not the ISP we define in PBF) . We have to manually kill Session an then next sessio will take 2 nd ISP.
2) another scenarion, lets assume my 1st ISP down, then panorama traffic will take 2nd ISP( non prefereed). But even if 1st ISP came up also, as panorama is never ending session, it will continue on 2 nd ISP untll we clear manually.
Can any one have suggestions on this.
08-11-2016 04:42 AM
Unfortunately i don't think there's an easy fix as the backend connection to panorama is kept open continuously
You could try setting a static route for a single IP instead of the PBF policy for this specific issue
One bit of good new may be that the traffic to panorama should not be that big: when the session ends the today bytecount is added for the complete duration of the single session, which could be weeks to even months of data all added into 1 bytecount. if you do see excessive bandwidth usage, you can opt to tone down log forwarding to only the critical logs
08-11-2016 10:30 PM
Two suggestions: First, don't use application as a matching criteria in PBF. As you indicated, it needs to look at some packets before it determines the application, by which time it's too late. Instead, just use source & destination.
Second, if the fix above works, then your traffic monitoring rule should see that the ISP is down and automatically switch to the second ISP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!