Traffic Report: How much destination hosts contacted

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic Report: How much destination hosts contacted

L0 Member

Hi Community!

There is a predefined traffic report "Connections": It shows per row how much connections (sessions) a source host has made to a specific destination host.

Is it possible to create a report which shows per row how much distinct destination hosts a source host has contacted? This could be useful for example to recognize if a source host is scanning a lot of different destinations.

Let me explain it further.

The "Connections" report shows:

Source HostDestination HostSessions
SrcADstA50
SrcBDstB40
SrcADstC30
SrcBDstA20
SrcBDstD10

I was trying to create a report like this:

Source HostDestination Hosts Contacted
SrcB3
SrcA2

Do you think this is possible?

Is there a way to query the database(s) in the PA directly (via SQL)?

Thanks in advance!

E.

Model: PA-5020

Software version: 5.0.2

2 REPLIES 2

L4 Transporter

I'm not sure if the API specifically reports on session information, but there is a PAN API that exposes a bunch of information. Here's an overview:

Also here is the XML API documentation:

I'm betting that what you're requesting is possible with the API... possibly combined with a custom report built on the firewall and then 'pulling' that report via the API

Dear egearhart!

I followed your advice and browsed the REST API.

There are three types of reports you can get with it:

  • Dynamic Reports: They are predefined and you can only set the timeframe and the number of rows. There is no connection report or the like.
  • Predefined Reports: These are the same predefined reports you can via the web page, including the top-connections report i mentioned.
  • Custom Reports: You can get retrieve the results of custom reports. But you have to create this report on the webpage.

I also could not find a way to query the traffic databases on the PA with SQL via the REST API.

So the question still persists: Has  someone an idea how to create a custom report which counts the destination hosts a source host contacted?

Otherwise the only way to create such a report would be to retrieve the traffic log of the last day somehow, feed it into a database (such as MySQL) and do the queries there.

Since 5.0.0 you can retrieve logs via REST API. But there is a maximum of 5000 rows. Is there another way?

  • 2137 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!