Top Applications Host Pairs Monitor (10037 / 20037)
Description
note
This Module is available upon request
This Module reports bi-directional network conversations for top Applications by bandwidth. In addition to consolidating NetFlow records as in Module 10036, this Module stitches client-server (Application) request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields.
The Application side of the conversation is reported as dest_ip. Destination port is also reported. Source port of client hosts is not reported, and ignored while consolidating client-server communications. Time trigger (Data collection interval) function – executed every 30 sec (default).
- Determine top N Applications by bandwidth consumption.
- Report all consolidated conversations for top N applications
This information is provided per NetFlow exporter.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 5 sec, max = 600 sec, default = 30 sec |
| N – number of reported Applications | The number of top Applications reported per NetFlow exporter | min = 0, max = 100000, default = 50 (0 indicates all Applications are reported) |
| N – number of reported hosts | The number of hosts using top Applications reported per NetFlow exporter | min = 0, max = 100000, default = 50 (0 indicates all hosts for top Applications are reported) |
Input
Palo Alto Networks NetFlow v9
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20037” |
| exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
| protocol | Transport Protocol (TCP = 6, UDP = 17) | <number> |
| app | Application | <string> |
| dest_ip | App (Server) IP address | <IPv4_address> |
| dest_ip6 | App (Server) IPv6 address | <IPv6_address> |
| dest_port | App (Server) port number | <number> |
| src_ip | Source host IPv4 address | <IPv4_address> |
| src_ip6 | Source host IPv6 address | <IPv6_address> |
| user | User-ID | <string> (“na” if not available) |
| packets_in | Packets from client to server | <number> |
| bytes_in | Layer 3 bytes from client to server | <number> |
| packets_out | Packets from server to client | <number> |
| bytes_out | Layer 3 bytes from server to client | <number> |
| bytes | Layer 3 bytes in both directions | <number> |
| flow_count | Number of flows | <number> |
| t_int | Observation time interval, msec | <number> |