How to report traffic logs for a specific rule ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to report traffic logs for a specific rule ?

L3 Networker

Hello,

I have defined several specific policies to allow traffic through my PA device.

I have also created a rule that allow any traffic (at the end) to not impact current traffic.

My idea is to be able to identify all traffic that flows through my device through this "allow any" rule and then create specific rules for legitimate traffic.

I have a lot of traffic passing through my "allow any" rule. It is pretty unfriendly to go to the monitor tab and load the filter for this rule and then analyze logged traffic.

Also my question is : how to create a scheduled report for all the traffic flowing through my "allow any" rule (there are dozen of pages ?

And in a general manner : how to create custum scheduled report for any specific rule ?

I have tried to achieve this using the custom report section by defining filter on a specific rule, but unfortunatly it only allows to display top 10, top 100 ..reports.

Regards,

Laurent

5 REPLIES 5

L3 Networker

Currently with custom reports there is a limit to top 500 events. what i would suggest is to create specific rules which will either rule out applications which are ok for example dns, web-browsing, etc.

so this will help to with the currrent limit of top 500.

Hello,

We have already several rules for all identified applications (dns, web-browsing, ldap, icmp, smb, backup flows, most of business  apps, and so on...)

However there is still a high amount of traffic that falls down to the "any any allow" rules.

I can manually export the traffic logs in CSV format from the Monitor -> Logs -> Traffic menu. Is there at least a way to automante this ?

Regards,

Laurent

Laurent, at this time there is not an automated option for manually exported CSV files from the Monitor > Traffic > Logs menu.   

Hi,

In this case, what is the best practice to identify all traffic on a network in order to be able to allow only legitimate traffic ?

I have dozen of different traffic that flow through the device, also the only way I've found to identify these traffic is to export my any any permit rule to CSV and then work with Excel to filter and sort out requested infos (source/dest addresses, dest ports, applications and so on). This is pretty unfriendly to work like that, so what do you recommand to achieve this work ?

Regards,

Laurent

@Laurent:

I would advise having a daily report for the top 25 applications that match your any-any-allow rule. Each day review this report and create specifc allow/deny rules for the applications based upon the desired behavior in your network.

-Benjamin

  • 2583 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!