Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » Using Palo Alto User-ID and App-ID in Netflow analytics
Trace: Using Palo Alto User-ID and App-ID in Netflow analytics
tips:paloalto

This is an old revision of the document!

Table of Contents

Using Palo Alto User-ID and App-ID in Netflow analytics

Palo Alto firewalls are capable of exporting two very useful pieces for information in its Netflow export. The User-ID1) and App-ID 2) fields are added per-flow

  1. User-ID : harvested from a number of mechanisms to map IP-Addresses to user names. The primary method is to interface with Microsoft Exchange / AD servers.
  2. App-ID : the firewall deploys some heuristics to identify exact traffic types (eg Facebook, Google, Whatsapp)

These two fields really turbo charge your visibility and investigation capabilities. This article explains how to leverage these in Trisul Network Analytics.

  • monitoring overall traffic of Users and Apps
  • searching individual flows for a particular User or App at flow level
  • aggregate statistics of a particular User or App.

Monitor overall traffic

New Counter Groups : User-ID and App-ID

Trisul automatically creates two counter groups called User-ID and App-ID. These meter the following metrics at the global level.

meterdescription
Total trafficTotal traffic bandwidth used by a User or App
Download traffic Download bandwidth used by per User/App. The Download direction is metered when the flow source IP is an external IP address and the destination-IP is internal. Internal IPs belong to the Home Network configured in Trisul
Upload traffic per-User bandwidth out of home network to external
Internal traffic per-User bandwidth where both the source and destination are inside the home network
Transit traffic where both source and destination are outside the home network. You will typically not find data here in normal enterprise environments
Flows Total number of flows active per user/app

NAT issues

Create flow tags

Create dashboards

Query by user-id and app-id

Aggregate flows

Crosskeys

1)
User-ID Overview https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/user-id.html
2)
App-ID documentation https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id.html
tips/paloalto.1572609073.txt.gz · Last modified: 2019/11/01 17:21 by veera