Complete application traffic report for firewall rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Complete application traffic report for firewall rule

L1 Bithead

Hi!

 

We have migrated our customers old firewalls to Palo altos and managing them through Panorama.

 

Now we want to convert the old rules into specific application rules. From server to server , Application by application.

 

So what I need is a complete traffic log/report, rule by rule to be able to start with the new Application rules.

 

It seems that all the reports and CSV exports are caped to a specifik amount of entries? Which makes the report incomplete.

 

The things I've tried is custom reports with the rule as filter, and doing csv exports from the regular traffic monitor.

 

What I would like to have is a complete report of say 30days on all unique Application traffic that hits a specific rule.

By unique I mean that I don't need duplicate entries from and to the same servers with the same application, It would be nice to just have it summarized.

 

Is this possible? Seems the amount of sessions is the problem now, to get a complete report.

8 REPLIES 8

L2 Linker

Dont need to do that! Thankfully palo alto has already a tool INTEGRATED into the firewall, you can see it at the left bottom corner its called policy optimizer, which does exactly that what you are asking for, but without running trough so many hops,

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/security-policy-rule-optimization/m...

 

Also i would suggest you to read and watch some tutorials on the expedition tool, which helps your migrations from old FW to NGFW from palo alto networks, https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

I hope this information suits you well!

Gabriel Montiel

I've looked into the optimizer before.

My understanding is that it's great if you have portbased rule from before, to convert them into application based rules.

 

But in my case it's  an any to any rule, so I guess the optimizer would make it any to any on specific applications?

What I want to do is to from server to server on specific application.

Is it possible in the optimizer? 

I understood your use case, yes policy optimizer is mostly to use
applications in policies.

If you want to "close" the policy to some src and dst addresses it would be
easier for you to create a custom report filtering with the policy name, or
simply in the ACC filter to policy name, also you could extract palo alto
logs in csv format and do some excel dynamic table magic its a button on
top right in the monitor traffic logs
Gabriel Montiel

Hi!

 

Well, I've tried the custom report filters and CSV exports but the thing is that there is to much data so the logs are incomplete. It won't give me the full logs.

Is there a way to summarize them i Panorama? Now I see every new session from server to server with the same application in the exports, and it's a huge amount.

I would just like to see every new application from server to server.

 

Can't really see that I can do this in the ACC filter either?

 

Im not quite sure what you mean with "server to server" if by that you
mean a single IP address, or a CIDR address range, you can see new
applications or the applications used within a single security policy rule,
with that you can separate each server flow with security policies and with
the policy optimizer in security policy GUI page theres a column named
"apps seen" you can click on that number and see which applications have
done a match with that security policy
Gabriel Montiel

Okey just to clarify.

Right now we have a rule that says any any from server nets to server nets on any application.

So all server traffic floods on that rule. So it's alot of sessions.

 

What we want to do is to make it more granular, like the examples:

Server1 192.168.1.2 to Server2 192.168.2.3 HTTPS

Server3 192.168.43.2 to Server4  192.168.60.3 DNS

and so on.

 

 

Oh now i get you, best way to do this imo, is filter by the policy name on
monitor, extract CSV columns ( you can extend the amount of rows you can
export in device/panorama, on the setup page
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaPCAS
)

And then start filtering with excel, and create the new policies above the
current general one, you can repeat this process until you have no new hits
on the old policy.
Gabriel Montiel

Yepp that's what we tried to do, but it's just to many sessions.

With the default setting of 65000 rows in CSV, gives us 1.5 hours of traffic and we want to see like a months traffic.

So if we changed it to the max value of 1048576 rows in CSV, would give us approx. 1.5 days.

Can't see that there is a way to sort out all the duplicate sessions in the monitor view.

  • 4154 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!