10-30-2015 07:04 AM
If your Palo Alto firewall is experiencing an unusually high OPEN session count, and/or high throughput, what is the best way to determine the source or destination at the same time of the event?
We have most of our security rules set to log at session end, so doing research on open sessions makes it a little harder. I have confirmed that the ACC tab does not show data for open sessions either. The Session Browser isn't too helpful because 1) you can't search by Start Time, 2) it only shows up to 2048 open sessions, 3) you can't export the results, 4) it's hard to pinpoint a specific source or destination IP.
