Huge traffic to port 3978 for application Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Huge traffic to port 3978 for application Panorama

L4 Transporter

I am seeing huge size data for application " Panorama" to the port 3978.

The size is in Gbs( 30gb) etc.

On thing  could observe is  start time and end time is big

=

Start Time 2016/05/30 11:01:00
Receive Time 2016/06/14 04:12:34

=

The source IP is firewall management Ip and destination is Panorama IP.

 

I know some keep alives will be going on between firewall management IP and Panorama IP. But will this take huge size.

Or other theorotical explanation can be " device deplyment " like wildfire and antivirus updtes.

But I dont know how to prove this huge size traffic.

 

Is there any way we can get time out for Panorama traffic like "session time out" etc.

I tried creating " custom application for panorama" But which time out value I should choose to get the session killed at least in 24 hours.

 

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
1 accepted solution

Accepted Solutions

this will not be logs only, it's the communication channel between firewall and panorama and will contain everything from keepalives, configuration, dynamic updates and logs. if you're browsing the panorama GUI and set the 'aspect' to firewall, this channel will also be used, so the total data will be a collection of all of the above

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

The connection from the firewall to panorama is theoretically permanent, this channel will also be used for log forwarding which will probably explain the total size of the transferred data

 

A firewall will only be able to log the total size of a session after it ends, which in the case of a panorama connection may be 'never' or after a long while so could give you a distorted view of the transferred data. you may want to disable logging for this connection so reporting is not influenced

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

But the total log size of the firewall does not show this hug GB data. 

First I doubt it was the logs transferred from Firewall.

However the total logs stored on firewall and system disk space on firewall does not match the size.

It can be due to lgs are purged on firewall. However is there any way to prove these are logs only.

on logs it just shows (panorama ) aplication. So Panorama application means: ( logs.keep alive, device deployement software & contenet updtes) Please correct me if I am wrong

I am concerened about what is this huge traffic between firewall and panorama.

 

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com

this will not be logs only, it's the communication channel between firewall and panorama and will contain everything from keepalives, configuration, dynamic updates and logs. if you're browsing the panorama GUI and set the 'aspect' to firewall, this channel will also be used, so the total data will be a collection of all of the above

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

Now I got why huge traffic is coming to port 3978.

But why i need to kill this session means, we have a setup of 2 ISPs. We prefere this traffic should go through 1 ISP.

Tht we accomplish through PBF ruless to 1 ISP. However there are 2 issues in this:

1) As per PBF session, first few packets will go thorgh normal routing table and wont take PBF. untill the aplication identified. in this case as it is Panorama traffc it is never ending traffic. So this stayes at 1 ISP only. We have to manually kill Session an then next sessio will take 2 nd ISP.

 

2) another scenarion, lets assume my 1st ISP down, then panorama traffic will take 2nd ISP( non prefereed). But even if 1st ISP came up also, as panorama is never ending session, it will continue on 2 nd ISP untll we clear manually.

 

Can any one have suggestions on this.

 

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com

For this issue, if i chnage the service route( panorama) to different ISP, will it help

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
  • 1 accepted solution
  • 4662 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!