Hosts with Most Policy Violations for Palo Alto Networks (10032 / 20032)

Description

This Module utilizes Palo Alto Networks NetFlow v9 reporting and provides a list of top firewall policies violators. Top violators are reported by Network Device and by Destination Port over a time interval. The number of reported top violators (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.

Parameters

Parameter Name	Description	Comments
Data Collection Interval, sec	Module logic execution interval	min = 10 sec, max = 600 sec, default = 30 sec
Application protocol (l4_dst_port) list	List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.	e.g. 80, 443
N – number of reported hosts	Top N (number of reported destinations)	min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Enable(1) or disable (0) reporting by destination port	If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)	default = 0
M – maximum number of destination ports to report	Top number of ports to report	min = 1, max = 50, default = 10

Inputs

Palo Alto Networks NetFlow v9.

Syslog/JSON Message Fields

Key	Field Description	Comments
nfc_id	Message type identifier	“nfc_id=20032”
exp_ip	NetFlow exporter IPv4 address	<IPv4_address>
src_ip	Source host IPv4 address	<IPv4_address>
src_ip6	Source host IPv6 address	<IPv6_address>
dest_ip	Destination host IPv4 address	<IPv4_address>
dest_ip6	Destination host IPv6 address	<IPv6_address>
dest_port	Destination port number (e.g. 80 for http)	<number>
user	User-ID	<string> (“na” if not available)
denied_count	Denied flows count	<number>
t_int	Observation time interval, msec	<number>