- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-16-2013 01:22 PM
Hi Community!
There is a predefined traffic report "Connections": It shows per row how much connections (sessions) a source host has made to a specific destination host.
Is it possible to create a report which shows per row how much distinct destination hosts a source host has contacted? This could be useful for example to recognize if a source host is scanning a lot of different destinations.
Let me explain it further.
The "Connections" report shows:
Source Host | Destination Host | Sessions |
---|---|---|
SrcA | DstA | 50 |
SrcB | DstB | 40 |
SrcA | DstC | 30 |
SrcB | DstA | 20 |
SrcB | DstD | 10 |
I was trying to create a report like this:
Source Host | Destination Hosts Contacted |
---|---|
SrcB | 3 |
SrcA | 2 |
Do you think this is possible?
Is there a way to query the database(s) in the PA directly (via SQL)?
Thanks in advance!
E.
Model: PA-5020
Software version: 5.0.2
02-16-2013 06:23 PM
I'm not sure if the API specifically reports on session information, but there is a PAN API that exposes a bunch of information. Here's an overview:
Also here is the XML API documentation:
I'm betting that what you're requesting is possible with the API... possibly combined with a custom report built on the firewall and then 'pulling' that report via the API
02-17-2013 11:40 AM
Dear egearhart!
I followed your advice and browsed the REST API.
There are three types of reports you can get with it:
I also could not find a way to query the traffic databases on the PA with SQL via the REST API.
So the question still persists: Has someone an idea how to create a custom report which counts the destination hosts a source host contacted?
Otherwise the only way to create such a report would be to retrieve the traffic log of the last day somehow, feed it into a database (such as MySQL) and do the queries there.
Since 5.0.0 you can retrieve logs via REST API. But there is a maximum of 5000 rows. Is there another way?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!