Top Traffic Destinations for Palo Alto Networks (10031 / 20031)

Description

This Module utilizes Palo Alto Networks NetFlow v9 reporting and provides a list of top network bandwidth destinations. Top bandwidth destinations are reported by Network Device and by Destination Port over a time interval. Only TCP/IP and UDP traffic is accounted for. The number of reported top consumers (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.

Parameters

Parameter Name	Description	Comments
Data Collection Interval, sec	Module logic execution interval	min = 10 sec, max = 600 sec, default = 30 sec
Application protocol (l4_dst_port) list	List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.	e.g. 80, 443
N – number of reported hosts	Top N (number of reported destinations)	min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Enable(1) or disable (0) reporting by destination port	If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)	default = 0
M – maximum number of destination ports to report	Top number of ports to report	min = 1, max = 50, default = 10

Inputs

Palo Alto Networks NetFlow v9.

Syslog/JSON Message Fields

Key	Field Description	Comments
nfc_id	Message type identifier	“nfc_id=20031”
exp_ip	NetFlow exporter IPv4 address	<IPv4_address>
dest_ip	Destination host IPv4 address	<IPv4_address>
dest_ip6	Destination host IPv6 address	<IPv6_address>
dest_port	Destination port number (e.g. 80 for http)	<number>
created_count	Created flows count	<number>
denied_count	Denied flows count	<number>
bytes	Bytes total (Traffic)	<number>
percent_of_total	Percent of Total (Traffic)	<decimal> (if < 1% reported as zero)
t_int	Observation time interval, msec	<number>