- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-16-2016 12:03 AM
I am seeing huge size data for application " Panorama" to the port 3978.
The size is in Gbs( 30gb) etc.
On thing could observe is start time and end time is big
=
Start Time 2016/05/30 11:01:00
Receive Time 2016/06/14 04:12:34
=
The source IP is firewall management Ip and destination is Panorama IP.
I know some keep alives will be going on between firewall management IP and Panorama IP. But will this take huge size.
Or other theorotical explanation can be " device deplyment " like wildfire and antivirus updtes.
But I dont know how to prove this huge size traffic.
Is there any way we can get time out for Panorama traffic like "session time out" etc.
I tried creating " custom application for panorama" But which time out value I should choose to get the session killed at least in 24 hours.
06-16-2016 12:59 AM - edited 06-16-2016 01:02 AM
this will not be logs only, it's the communication channel between firewall and panorama and will contain everything from keepalives, configuration, dynamic updates and logs. if you're browsing the panorama GUI and set the 'aspect' to firewall, this channel will also be used, so the total data will be a collection of all of the above
06-16-2016 12:16 AM
The connection from the firewall to panorama is theoretically permanent, this channel will also be used for log forwarding which will probably explain the total size of the transferred data
A firewall will only be able to log the total size of a session after it ends, which in the case of a panorama connection may be 'never' or after a long while so could give you a distorted view of the transferred data. you may want to disable logging for this connection so reporting is not influenced
06-16-2016 12:27 AM
But the total log size of the firewall does not show this hug GB data.
First I doubt it was the logs transferred from Firewall.
However the total logs stored on firewall and system disk space on firewall does not match the size.
It can be due to lgs are purged on firewall. However is there any way to prove these are logs only.
on logs it just shows (panorama ) aplication. So Panorama application means: ( logs.keep alive, device deployement software & contenet updtes) Please correct me if I am wrong
I am concerened about what is this huge traffic between firewall and panorama.
06-16-2016 12:59 AM - edited 06-16-2016 01:02 AM
this will not be logs only, it's the communication channel between firewall and panorama and will contain everything from keepalives, configuration, dynamic updates and logs. if you're browsing the panorama GUI and set the 'aspect' to firewall, this channel will also be used, so the total data will be a collection of all of the above
07-20-2016 08:30 AM
Now I got why huge traffic is coming to port 3978.
But why i need to kill this session means, we have a setup of 2 ISPs. We prefere this traffic should go through 1 ISP.
Tht we accomplish through PBF ruless to 1 ISP. However there are 2 issues in this:
1) As per PBF session, first few packets will go thorgh normal routing table and wont take PBF. untill the aplication identified. in this case as it is Panorama traffc it is never ending traffic. So this stayes at 1 ISP only. We have to manually kill Session an then next sessio will take 2 nd ISP.
2) another scenarion, lets assume my 1st ISP down, then panorama traffic will take 2nd ISP( non prefereed). But even if 1st ISP came up also, as panorama is never ending session, it will continue on 2 nd ISP untll we clear manually.
Can any one have suggestions on this.
07-27-2016 01:45 AM
For this issue, if i chnage the service route( panorama) to different ISP, will it help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!