ACC is Not Accurate During Heavy Traffic Log Generation
27389
Created On 09/26/18 13:55 PM - Last Modified 06/07/23 17:57 PM
Symptom
Under heavy traffic log generation (more than 100,000 logs per hour), the data presented for "Last Calendar Day" on the ACC (Application Control Center) could be different from calculated traffic logs results.
Environment
- NGFW
- Panorama
Cause
The information presented on the ACC comes from normal (every 15 minutes), hourly, daily, and weekly traffic summary (trsum, hourlytrsum, dailytrsum and weeklytrsum) data. Each type of traffic summary data has a 100k lines limit. If "Last Calendar Day" is selected on ACC, the data comes only from the daily traffic summary (dailytrsum). In scenarios of heavy traffic log generation, the 100k lines limit may be reached and some of the information will not be displayed on the ACC.
Resolution
To obtain more accurate results on the ACC, set a custom Time Range with a Start and End range of less than 1 day (24-hour period). The data appearing on the ACC may be more accurate, as the results are derived from hourlytrsum and also from trsum (for 15-min increments).
To show traffic summary on the CLI, use the following command:
> show log <value>
where <value> is one of the following: trsum, hourlytrsum, dailytrsum, weeklytrsum
owner: kkondo