Eric Hummel
asked on
Tracking ingress/egress traffic
We have a PaloAlto Firewall (PA-500) for our public interface. We have noticed much traffic on the pipe lately and we can't track it down. Is there some way to tell what is creating all the traffic. We asked our ISP to give us an IP accounting on the circuit but they are slow to respond; by the time they set this up, the high traffic condition has normalized. Is there a software package that we can use to track our network usage? I'd want to know where packets are coming from and where they are going and I want to see it in real-time. The PaloAlto has an extra interface so it could be used as a tap to monitor the ingress/egress traffic.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Specific to PAN and network packet, there is session tracker stats but more probably can reveal what the surce is attempting during various session like DDoS, or port knocking, device scanning/fingerprinting, exfiltration etc...it is not obvious esp when traffic is so high and intermittent or short lived.
Maybe is to explore other Cyber threat intelligence capability (or most commonly known as "Threat Intelligence Platform") such as ThreatStream, ThreatConnect, Norse IPViking services..the latter is a live map but good to catch a summary list of equivalent services here which depict even open community provider etc
Hence, expanding beyond just ISP, may even consider reporting to authority like ICANN or equivalent support group though I am not sure how timely they are compared to ISP. Other aspect, I am wondering if the IP (non-Nat-ed) has any WhoIs records and reputation records from Domain Dossier by throwing in the IP as input to the online service (listing out the WhoIs, Ip traces etc). From there minimally see who register and own this IP range.The more effort needed if you are going to sinkhole this consistent source IP adn try to understand what is going to do and kind of running a honeynet and inserting honey token for attribution traces to be formed w/o the source knowing ... that is not easy.