NFO 2.8.1
Powered By GitBook
Bandwidth Consumption per Application/User for Palo Alto Networks (10035 / 20035)

Description

This Module utilizes Palo Alto Networks NetFlow v9 reporting and provides a list of most active applications and users by traffic. Most active applications and users are reported by Network Device over a time interval.
This Module consolidates NetFlow records over a period of time (Data collection interval) which all have the same combination of the following fields:
    Application ID
    Source IP address
    Destination IP address
    Source port number, if it is a server destination port number (see below)
    Destination port number, if it is a server destination port number (see below)
    Layer 3 protocol
Server destination port: Source port of client hosts is ignored while consolidating NetFlow records. Destination port of server hosts is reported. The Module determines which host is a client and which is a server as follows: a server sends more traffic (bytes) than a client. This logic can be overridden by specifying the list in “List of known server destination port numbers” parameter.
The number of reported top most active applications and users (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.
This Module utilizes Palo Alto Networks NetFlow v9 reporting and provides a list of most active applications and users by traffic. Most active applications and users are reported by Network Device over a time interval. The number of reported top most active applications and users (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 600 sec, default = 30 sec
Application id list
A list of watched applications. If specified, the traffic is reported by specified applications, and all other traffic is summed up under app=other. If the list is empty, the traffic is reported by all applications.
List of known server destination port numbers
List of server destination ports to be used to determine which host is a client and which is a server. If the list is removed or empty all ports are reported
e.g. 53, 80, 443
Share of total traffic reported, %
Reported percent of total traffic by application by user
e.g. 50 - indicates that all application/user entries consuming 50% of traffic are reported; min = 1%, max = 100%, default = 80%
Report selected applications only (1)
Enable/Disable reporting selected apps only (1 - report only apps in the list, 0 - report all apps)
default = 0

Inputs

Palo Alto Networks NetFlow v9.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20035"
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
protocol
Transport Protocol ( TCP = 6, UDP = 17)
<number>
direction
Direction
<string>, “inbound” or “outbound”
app
Application
<string>
dest_ip
Destination host IP address
<IPv4_address>
dest_ip6
Destination host IPv6 address
<IPv6_address>
dest_port
Destination host port number
<number>, 0 if destination is a client host
src_ip
Source host IP address
<IPv4_address>
src_ip6
Source host IPv6 address
<IPv6_address>
src_port
Source host port number
<number>, 0 if source is a client host
user
User-ID
<string> ("na" if not available)
created_count
Created flows count
<number>
bytes
Bytes total (Traffic)
<number>
percent_of_total
Percent of Total (Traffic)
<decimal>, e.g. 25.444% is 25.444
t_int
Observation time interval, msec
<number>
Last modified 1yr ago