Tracking ingress/egress traffic

We have a PaloAlto Firewall (PA-500) for our public interface. We have noticed much traffic on the pipe lately and we can't track it down. Is there some way to tell what is creating all the traffic. We asked our ISP to give us an IP accounting on the circuit but they are slow to respond; by the time they set this up, the high traffic condition has normalized. Is there a software package that we can use to track our network usage? I'd want to know where packets are coming from and where they are going and I want to see it in real-time. The PaloAlto has an extra interface so it could be used as a tap to monitor the ingress/egress traffic.
Eric HummelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Attribution to origin IP is not easy esp when going through the WWW. For HTTP, there is X-Forwarder-For that proxy may insert on the origin sender IP, but it can be tamper as well, likewise for email header where there is trail of the sender going via the various SMTP relays. If the source IP keep varying in running no of ranges, various geo-located based IP and blacklisted IP, they may be bot or botnets attempting to DDoS your online asset.

Specific to PAN and network packet, there is session tracker stats but more probably can reveal what the surce is attempting during various session like DDoS, or port knocking, device scanning/fingerprinting, exfiltration etc...it is not obvious esp when traffic is so high and intermittent or short lived.

Maybe is to explore other Cyber threat intelligence capability (or most commonly known as "Threat Intelligence Platform") such as ThreatStream, ThreatConnect, Norse IPViking services..the latter is a live map but good to catch a summary list of equivalent services here which depict even open community provider etc

Hence, expanding beyond just ISP, may even consider reporting to authority like ICANN or equivalent support group though I am not sure how timely they are compared to ISP.
...In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest). They will contact “upstream” providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate and will typically revoke routes or take other measures to squelch or discard traffic close to the source.

...If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team. CERT/CIRT organizations (find a national list here) or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.

....Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.
Other aspect, I am wondering if the IP (non-Nat-ed) has any WhoIs records and reputation records from Domain Dossier by throwing in the IP as input to the online service (listing out the WhoIs, Ip traces etc). From there minimally see who register and own this IP range.The more effort needed if you are going to sinkhole this consistent source IP adn try to understand what is going to do and kind of running a honeynet and inserting honey token for attribution traces to be formed w/o the source knowing ... that is not easy.
0
DarinTCHSenior CyberSecurity EngineerCommented:
there is a network monitor under appscope
you can also run some reports to see to traffic
top senders
top countries sending
top senders
top destination

additionally you can view a network map to see where it is originating

what version of PAN-OS are you using?

also there is a cool chrome plugin - called Panachrome - that offers even more statistics

- must use Chrome as browser
0
btanExec ConsultantCommented:
You can also check out  the visibility tools on Panorama. Using the Application Command Center (ACC), the App-Scope, the log viewer, and the standard, customizable reporting options on Panorama, you can quickly learn more about the traffic traversing the network. Both ACC and App-Scope allow you to monitor and report on the data recorded from traffic that traverses your network.

For example, you can enhance the security rules to increase compliance and accountability for all users across the network, or manage network capacity and minimize risks to assets while meeting the rich application needs for the users in your network. In short, you can
- centrally analyze, investigate and report on all network activity,
- identify areas with potential security impact, and
- translate them into secure application enablement policies

Most common use case  are to
- Monitor the Network with the ACC and AppScope
- Analyze Log Data
- Generate, Schedule, and Email Reports

Catch this for more details and examples
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/framemaker/61/panorama/Panorama_AdminGuide/section_6.pdf

But one thing to note which some find it misleading is the difference stat seen on Network Monitor Graph and ACC.
- Network Monitor Graph and ACC retrieve data from different sources, so it's normal to see different values.
>> Network Monitor includes the Appstat database--essentially counters on the dataplane.
>> ACC view is based on the Appstat database.
- Traffic Summary is a rollup of the detailed traffic logs.
>> Actual ACC retrieves data from the Traffic Summary (trsum) database, which is dependent on logging being enabled on all rules.
>> Matching results could be obtained if all the security rules have been configured to log traffic and session starts and end.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.