tips:paloalto
This is an old revision of the document!
Using Palo Alto User-ID and App-ID in Netflow analytics
Palo Alto firewalls are capable of exporting two very useful pieces for information in its Netflow export. The User-ID1) and App-ID 2) fields are added per-flow
- User-ID : harvested from a number of mechanisms to map IP-Addresses to user names. The primary method is to interface with Microsoft Exchange / AD servers.
- App-ID : the firewall deploys some heuristics to identify exact traffic types (eg Facebook, Google, Whatsapp)
These two fields really turbo charge your visibility and investigation capabilities. This article explains how to leverage these in Trisul Network Analytics.
- monitoring overall traffic of Users and Apps
- searching individual flows for a particular User or App at flow level
- aggregate statistics of a particular User or App.
Counter Groups
Trisul automatically creates two counter groups called User-ID and App-ID. These meter the traffic statistics continuously of these groups in the overall network.
The metrics within the User-ID and App-ID counter groups are.
NAT issues
Create flow tags
Create dashboards
Query by user-id and app-id
Aggregate flows
Crosskeys
2)
App-ID documentation https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id.html
tips/paloalto.1572608520.txt.gz · Last modified: 2019/11/01 17:12 by veera