11-26-2012 10:41 AM
I am migrating from a port-based firewall to the PA and I want to put the application for all policies that cover inbound services instead of the ports. I plan on temporarily doing a V-wire on the internet connection before the cutover to gather the app-ids needed for each policy so here is my question: Is there a report which will tell me the applications per-destination IP or even better "per policy"? The thing I am doing now is just filtering the traffic log per destination IP and then checking all the apps on the logs. I've tried creating some custom reports, but couldn't get all my policies, just one destination IP. Any help would be appreciated. Thank you.
-Johnny Schultzation
11-26-2012 11:34 AM
I am a bit confused. Your first post asked for a report that tells you the apps per destination IP, or even better "per policy". If you will only have a single v-wire policy, I am unsure what the per-policy report would give in that case.
If you just have the one policy, but want to get all apps to a specific zone (DMZ for example) that are grouped per destination IP, you can do that.
Under Monitor > Manage Custom Reports you would create a new report that has the following parameters:
Database: Traffic Log (detailed, not summary)
Time Frame: whatever you prefer
Sort by: None, top 10-500 (your preference)
Group by: Destination address. You can do up to 50 groups.
Add "Application" to selected colums
Add the following query if your zone is DMZ: (zone.dst eq DMZ)
Save it, and run that report. You'll get a report that has destination address as a value, the destination host name, source and destination zones, and all applications that went to that IP. You may want to play with the settings to customize it to what you need.
-Greg
11-26-2012 11:00 AM
Hi Johnny,
You can go to the traffic log (Monitor tab > Logs, Traffic) and ensure you have a "Rule" column present. If you find the rule in question, click on it to add it to the filter at the top. If you don't find it but know the name, the format for the filter is:
( rule eq 'Your Rule Name' )
Hit the green arrow ("Apply Filter") button. That will present you a filtered report of all traffic that is hitting that rule. You can export that filtered report as a CSV using the Excel icon near the green arrow. From there, you can use excel to sort the columns, and get a list of all apps seen by that rule.
Hope this helps,
Greg Wesson
11-26-2012 11:19 AM
Thanks for that report, however, when I am doing a demo or an AVR, I will not have any data in the policy column since we will only be viewing traffic and we will have a single v-wire policy. That would help after I have installed the firewall, but I'm attempting to have this up and running before the cutover. I'm hoping for some type of custom report grouped by destination IP, filtered for inbound traffic, with the apps per destination IP.
-Johnny
11-26-2012 11:34 AM
I am a bit confused. Your first post asked for a report that tells you the apps per destination IP, or even better "per policy". If you will only have a single v-wire policy, I am unsure what the per-policy report would give in that case.
If you just have the one policy, but want to get all apps to a specific zone (DMZ for example) that are grouped per destination IP, you can do that.
Under Monitor > Manage Custom Reports you would create a new report that has the following parameters:
Database: Traffic Log (detailed, not summary)
Time Frame: whatever you prefer
Sort by: None, top 10-500 (your preference)
Group by: Destination address. You can do up to 50 groups.
Add "Application" to selected colums
Add the following query if your zone is DMZ: (zone.dst eq DMZ)
Save it, and run that report. You'll get a report that has destination address as a value, the destination host name, source and destination zones, and all applications that went to that IP. You may want to play with the settings to customize it to what you need.
-Greg
11-26-2012 12:00 PM
Sorry for my misleading language, I'm testing with our production firewall and I will have to do a test with another firewall in v-wire mode which I do not yet have in place. Thanks for that report, that pretty much gives me what I need. I did have to add a query for the trust zone to get only inbound traffic and the bytes column will help me to identify the legitimate apps that need to be allowed. I'm saving this report into a template to use on all my demos from here on out. Thanks
-Johnny Schultz
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
