NFO 2.8.1
Powered By GitBook
Top Applications Host Pairs Monitor (10037 / 20037)
(available upon request)

Description

This Module reports bi-directional network conversations for top Applications by bandwidth. In addition to consolidating NetFlow records as in Module 10036, this Module stitches client-server (Application) request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields.
The Application side of the conversation is reported as dest_ip. Destination port is also reported. Source port of client hosts is not reported, and ignored while consolidating client-server communications. Time trigger (Data collection interval) function – executed every 30 sec (default).
    1.
    Determine top N Applications by bandwidth consumption.
    2.
    Report all consolidated conversations for top N applications
This information is provided per NetFlow exporter.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 5 sec, max = 600 sec, default = 30 sec
N – number of reported Applications
The number of top Applications reported per NetFlow exporter
min = 0, max = 100000, default = 50 (0 indicates all Applications are reported)
N – number of reported hosts
The number of hosts using top Applications reported per NetFlow exporter
min = 0, max = 100000,
default = 50 (0 indicates all hosts for top Applications are reported)

Input

Palo Alto Networks NetFlow v9

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20037”
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
protocol
Transport Protocol (TCP = 6, UDP = 17)
<number>
app
Application
<string>
dest_ip
App (Server) IP address
<IPv4_address>
dest_ip6
App (Server) IPv6 address
<IPv6_address>
dest_port
App (Server) port number
<number>
src_ip
Source host IPv4 address
<IPv4_address>
src_ip6
Source host IPv6 address
<IPv6_address>
user
User-ID
<string> (“na” if not available)
packets_in
Packets from client to server
<number>
bytes_in
Layer 3 bytes from client to server
<number>
packets_out
Packets from server to client
<number>
bytes_out
Layer 3 bytes from server to client
<number>
bytes
Layer 3 bytes in both directions
<number>
flow_count
Number of flows
<number>
t_int
Observation time interval, msec
<number>
Last modified 1yr ago