Top Traffic Destinations for Palo Alto Networks (10031 / 20031)
Description
This Module utilizes Palo Alto Networks NetFlow v9 reporting and provides a list of top network bandwidth destinations. Top bandwidth destinations are reported by Network Device and by Destination Port over a time interval. Only TCP/IP and UDP traffic is accounted for. The number of reported top consumers (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.
Parameters
Parameter Name | Description | Comments |
---|---|---|
Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 600 sec, default = 30 sec |
Application protocol (l4_dst_port) list | List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports. | e.g. 80, 443 |
N – number of reported hosts | Top N (number of reported destinations) | min = 0, max = 100000, default = 50 (0 indicates all hosts are reported) |
Enable(1) or disable (0) reporting by destination port | If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0) | default = 0 |
M – maximum number of destination ports to report | Top number of ports to report | min = 1, max = 50, default = 10 |
Inputs
Palo Alto Networks NetFlow v9.
Syslog/JSON Message Fields
Key | Field Description | Comments |
---|---|---|
nfc_id | Message type identifier | “nfc_id=20031” |
exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
dest_ip | Destination host IPv4 address | <IPv4_address> |
dest_ip6 | Destination host IPv6 address | <IPv6_address> |
dest_port | Destination port number (e.g. 80 for http) | <number> |
created_count | Created flows count | <number> |
denied_count | Denied flows count | <number> |
bytes | Bytes total (Traffic) | <number> |
percent_of_total | Percent of Total (Traffic) | <decimal> (if < 1% reported as zero) |
t_int | Observation time interval, msec | <number> |