The last few weeks I have noticed a large amount of traffic on the Network Monitor coming from IPSec-ESP. I moved several VPN tunnels off our old WatchGuard to our Palo Alto PA-3020 around the time this started. When I click on the application itself to filter it I see that it cannot identify anything about the traffic. Is this normal? Shouldn't it at least be able to identify the source or destination of the traffic?
To get source and destination information of traffic, go to Monitor > Traffic > Type application "IPSec-ESP". You will find number of logs.
You will have to take Educated guess to find out origin of the traffic.
If Origin of the traffic is your own firewall, than dont worry its intended IPsec Traffic.
If not than there should be something behind the firewall, try to locate IP.
Yes I see about ten entries. If I filter the traffic monitor by the VPN zone I can see traffic destined for the different proxy-IDs. I only see that large amount of traffic classified as IPSec-ESP 2-3 times per day, sometimes early in the morning when no one is here. I have a feeling it is some backup job running on our SQL databases to a remote site but I just want to be sure.
Hulk is correct where the ACC will show you active sessions information and the traffic log will only show traffic information based on security rule log at start or end(default)?
So you would not see logs in traffic till session ends(tunnel goes down).
Following document explains better what you are seeing.
To determine what source/destination is causing traffic would need to look at ACC with source/destination zone for VPN at times you are seeing spike in traffic.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!