12-04-2025 07:40 PM
Hi Guys,
I just want to ask. From my T1 firewall, i can see that my Palo Alto Mgmt IP is sending huge traffics to the hawkeye.services-edge.paloaltonetworks.com. You may refer to the attached picture. Is it normal our Palo Alto Mgmt Ip sent a large volume of traffics, which is around 20gb? What is the factor that influences the Mgmt IP to send the huge traffics to the hawkeye.services-edge.paloaltonetworks.com.
12-09-2025 07:17 AM
Hi @F.BinMohdFahmi ,
While some data is normal, 20 GB seems high.
The hostname hawkeye.services-edge.paloaltonetworks.com is used by Palo Alto Networks to deliver several of its Cloud-Delivered Security Services (CDSS).
This FQDN is the endpoint for several advanced, inline security services that utilize real-time machine learning and cloud processing. The services that connect here include:
Advanced Threat Prevention (ATP) / Inline Cloud Analysis: This is used to analyze highly evasive, zero-day Command and Control (C2) threats in real-time. The firewall sends packets, metadata, and potentially file samples to the cloud for deep learning analysis.
App-ID Cloud Engine (ACE): This service helps the firewall quickly identify new or previously unknown cloud applications that are not yet in the daily/monthly content updates.
Advanced URL Filtering (AUF) / Inline Categorization: This service performs real-time analysis of suspicious web page content using deep learning to prevent zero-day web attacks.
Enterprise DLP (Data Loss Prevention): If licensed, the firewall sends content for analysis to identify sensitive data transmissions.
The main factor influencing this huge volume is what is being analyzed and forwarded to the cloud service:
If the firewall is configured to use Inline Cloud Analysis (part of ATP, AUF, or DLP), the traffic volume is directly proportional to the amount of suspicious or unknown traffic passing through the firewall.
File Forwarding: If you have WildFire configured to forward suspicious files, especially large ones, or if your network is seeing a high volume of potentially malicious executables, that data is transmitted to the cloud for sandboxing and analysis.
Full Packet/Session Analysis: When a session is identified as highly suspicious or an unknown C2 threat, the firewall may send more complete data structures related to that session to the cloud for analysis, leading to large upload volumes.
Initial Sync/Data Dump: If the service was recently enabled or if the firewall lost connectivity and is now re-establishing its cloud connection, it might attempt to quickly synchronize a large backlog of initial data or configuration, causing a spike.
Also confirm Cloud Log Forwarding: If the traffic is still unusually high, check if the firewall is trying to forward a massive volume of logs to the Strata Logging Service (if configured via the same path).
If the volume remains high after confirming the traffic is related to a CDSS feature (like ATP or DLP), you should consider opening a case with Palo Alto Networks TAC to review the forwarding logs and confirm normal operation for your specific licensed features.
Kind regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
