Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » tips » Using Palo Alto User-ID and App-ID in Netflow analytics
Trace:
tips:paloalto

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
tips:paloalto [2019/10/31 16:16] veeratips:paloalto [2019/11/01 17:47] – [New Counter Groups : User-ID and App-ID] veera
Line 1: Line 1:
-====== How to leverage Palo Alto User-ID and App-ID in Netflow analytics ======+====== Using Palo Alto User-ID and App-ID in Netflow analytics ======
  
  
Line 8: Line 8:
 These two fields really turbo charge your visibility and investigation capabilities. This article explains how to leverage these in Trisul Network Analytics. These two fields really turbo charge your visibility and investigation capabilities. This article explains how to leverage these in Trisul Network Analytics.
  
-===== Counter Groups =====+  * monitoring overall traffic of Users and Apps 
 +  * searching individual flows for a particular User or App at flow level 
 +  * aggregate statistics of a particular User or App. 
  
-Trisul automatically creates two counter groups called User-ID and App-ID. These meter the traffic statistics continuously of these groups in the overall network. +===== Monitor overall traffic =====
  
-The metrics within the User-ID and App-ID counter groups are.+==== New Counter Groups : User-ID and App-ID  ====
  
 +Trisul automatically creates two counter groups called User-ID and App-ID. These meter the following metrics at the global level.
  
 +^meter^description^
 +|Total traffic|Total traffic bandwidth used by a User or App|
 +|Download traffic| Download bandwidth used by per User/App. The Download direction is metered when the flow source IP is an external IP address and the destination-IP is internal. Internal IPs belong to the Home Network configured in Trisul|
 +|Upload traffic| per-User bandwidth out of home network to external|
 +|Internal traffic| per-User bandwidth where both the source and destination are inside the home network|
 +|Transit traffic| where both source and destination are outside the home network. You will typically not find data here in normal enterprise environments|
 +|Flows| Total number of flows active per user/app |
  
  
-NAT issues+To view these metrics  
 +  * **Use Retro Analysis** : Select //Retro > Retro Counters// then select a time frame, then select User-ID from the list of counters shown on the right side.  You can see the top items for each metric. 
 +  * **Create dashboards** : Customize > UI >Dashboards > Create a new dashboard. Give it a name. Then Press the + button to add a new module.   Clone "Current Top Hosts" of type "current toppers in a list". Then edit to module to change to User-ID and Metric 0.  
 + 
 +The retro analysis screen looks like below. 
 + 
 +{{:tips:retro.png?600|}} 
 + 
 +The Retro Analysis tools show you the Top-N, Bottom-N, Topper Trend over time, and Pie chart views. The following chart shows you toppers over time.  
 + 
 +{{:tips:retro2.png?600|}} 
 + 
 + 
 +==== NAT issues ==== 
  
 Create flow tags Create flow tags
  
-Create dashboards 
  
 Query by user-id and app-id Query by user-id and app-id
tips/paloalto.txt · Last modified: 2019/11/01 18:25 by veera