Network Outbound baseline.

L4 Transporter

Network Outbound baseline.

I need to provide a baseline of allowed traffic outbound for a period of time.


So to list


Client -> External Server [ Port/Application ]


Is there a report on the PA-3020 that can be crafted to do this






Cyber Elite


A 'User Activity Report' might be what you are after. But if its to a specific exteranl IP and/or port, a custom report might be a better method. If this is a one time thing, perhaps the Unified logs would give you what you are looking for?



Cyber Elite


Sure. I've provided a sample of a custom report that could be utilized for a 24hr period as an example. The example simply shows traffic going to opendns with the application being dns. 

      <entry name="Test-Outbound">
        <query>(addr.src in and ( (addr.dst eq and (app eq dns) )</query>



L4 Transporter

I need all unique instances of allowed traffic. - - DNS - - DNS - - DNS - - https - - DNS - - https - - DNS


So that no entries are repeated.



Cyber Elite


Really isn't an amazing way to do this from a custom report then. Since you are locating DNS traffic you're going to be looking at a lot of sessions and you'll quickly reach the limits on how large the custom reports can actually be. Your best bet to fullfil this is likely going to be simply filtering the 'traffic' or 'unified' logs and simply exporting the results. 

Depending on what you are looking to do with this information you could simply seperate the queries based off of source address, or run all the queries individually. 

( ( addr.src in ) and ( addr.dst in ) and ( app eq dns ) ) or ( ( addr.src in ) and ( addr.dst in ) and ( app eq dns ) ) or ( ( addr.src in ) and ( addr.dst in ) and ( app eq dns ) ) or ( ( addr.src in ) and ( addr.dst in ) and ( port.dst eq 443 ) ) or ( ( addr.src in ) and ( addr.dst in ) and ( port.dst eq 443 ) )


You'll notice that the queries for the https traffic I simply did a destination port of 443. This is because I simply didn't know what the application would usually return as. Likely the app would be SSL on either, but you'd either want to run it simply as the dst port search or actually verify in the logs what that traffic is getting identified as and switch it out in the query.   

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!