Reading the Expedition Log Analysis Guide (1.0.2), it has a tiny blurb about the "flow" in the Learning Results:
The Flow has been calculated after figure it out who are the servers on the networks.
In the resulting potential rules, there are mixes of "Client_to_Server" and "Server_to_Server". I import rules to my project and when merging rules to group similar sources or destinations together with common apps, I'm at a loss to understand how Expedition or PanOS calculated the flows. Case in point, I have many rules that come up when merging that all have same src zone, same dst zone, same apps, only src or dst hosts are different. Without knowing more about actual clients that are listed, I would be inclined to group them all in the same policy. But if PanOS or Expedition is seeing an OS fingerprint or something in the traffic and throwing the "client_to_server" or "server_to_client" flow and then tag onto the rule, I would consider leaving them separate.
Assuming same src/dst zones , what would make Expedition call one flow server to client or vice versa?
... View more