NFO 2.8.1
Powered By GitBook
Most Active Hosts for Palo Alto Networks (10033 / 20033)

Description

This Module utilizes Palo Alto Networks NetFlow v9 reporting and provides a list of most active hosts by the number of initiated connections. Most active hosts are reported by Network Device and by Destination Port over a time interval. The number of reported top most active hosts (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 600 sec, default = 30 sec
Application protocol (l4_dst_port) list
List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.
e.g. 80, 443
N – number of reported hosts
Top N (number of reported destinations)
min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Enable(1) or disable (0) reporting by destination port
If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)
default = 0
M – maximum number of destination ports to report
Top number of ports to report
min = 1, max = 50,
default = 10

Inputs

Palo Alto Networks NetFlow v9.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20033”
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
src_ip
Source host IPv4 address
<IPv4_address>
src_ip6
Source host IPv6 address
<IPv6_address>
dest_port
Destination port number (e.g. 80 for http)
<number>
user
User-ID
<string> (“na” if not available)
created_count
Created flows count
<number>
t_int
Observation time interval, msec
<number>
Last modified 1yr ago