tips:paloalto
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| tips:paloalto [2019/11/01 17:12] – [Using Palo Alto User-ID and App-ID in Netflow analytics] veera | tips:paloalto [2019/11/01 18:25] (current) – [NAT issues] veera | ||
|---|---|---|---|
| Line 12: | Line 12: | ||
| * aggregate statistics of a particular User or App. | * aggregate statistics of a particular User or App. | ||
| - | ===== Counter Groups | + | ===== Monitor overall traffic |
| - | Trisul automatically creates two counter groups called | + | ==== New Counter Groups : User-ID and App-ID |
| - | The metrics within the User-ID and App-ID | + | Trisul automatically creates two counter groups called |
| + | ^meter^description^ | ||
| + | |Total traffic|Total traffic bandwidth used by a User or App| | ||
| + | |Download traffic| Download bandwidth used by per User/App. The Download direction is metered when the flow source IP is an external IP address and the destination-IP is internal. Internal IPs belong to the Home Network configured in Trisul| | ||
| + | |Upload traffic| per-User bandwidth out of home network to external| | ||
| + | |Internal traffic| per-User bandwidth where both the source and destination are inside the home network| | ||
| + | |Transit traffic| where both source and destination are outside the home network. You will typically not find data here in normal enterprise environments| | ||
| + | |Flows| Total number of flows active per user/app | | ||
| + | To view these metrics | ||
| + | * **Use Retro Analysis** : Select //Retro > Retro Counters// then select a time frame, then select User-ID from the list of counters shown on the right side. You can see the top items for each metric. | ||
| + | * **Create dashboards** : Customize > UI > | ||
| + | |||
| + | The retro analysis screen looks like below. | ||
| + | |||
| + | {{: | ||
| + | |||
| + | The Retro Analysis tools show you the Top-N, Bottom-N, Topper Trend over time, and Pie chart views. The following chart shows you toppers over time. | ||
| + | |||
| + | {{: | ||
| + | |||
| + | |||
| + | ==== NAT issues ==== | ||
| + | |||
| + | The default behaviour is to show the Internal and External IP addresses. The NAT is hidden from Trisul , if you wish to see the NAT'd firewall address set the following parameter to FALSE in the [[https:// | ||
| + | |||
| + | < | ||
| + | < | ||
| + | |||
| + | </ | ||
| + | |||
| + | |||
| + | ==== Query by user-id and app-id ==== | ||
| + | |||
| + | The next step is to create a [[https:// | ||
| + | |||
| + | Login as admin, then go to profile0 > Flow Taggers > Create a new Flow Tagger. | ||
| + | |||
| + | {{: | ||
| + | |||
| + | Do the same for App-ID. | ||
| + | |||
| + | === Query flows === | ||
| + | |||
| + | |||
| + | //From Tools > Explore Flows// | ||
| + | Use the syntax '' | ||
| + | or '' | ||
| + | |||
| + | You can see the flow tags. | ||
| + | {{: | ||
| + | |||
| + | |||
| + | |||
| + | === Aggregate flows === | ||
| + | |||
| + | //From Tools > Aggregate Flows// | ||
| + | Use '' | ||
| + | |||
| + | This shows top IPs, top Applications, | ||
| + | |||
| + | A sample is shown below. | ||
| + | |||
| + | {{: | ||
| + | |||
| + | ==== Conclusion ==== | ||
| + | |||
| + | User-ID and App-ID attributes open up very powerful possibilities for visibility and investigation. Using the flexible tools offered by the Trisul platform you can customize in a variety of ways. Other tools you can use are " | ||
| - | NAT issues | ||
| - | Create flow tags | ||
| - | Create dashboards | ||
| - | Query by user-id and app-id | ||
| - | Aggregate flows | ||
| - | Crosskeys | ||
tips/paloalto.1572608520.txt.gz · Last modified: 2019/11/01 17:12 by veera