ACC shows spike in bytes transmitted.

ACC shows spike in bytes transmitted.

13905
Created On 08/10/20 15:36 PM - Last Modified 12/22/22 03:58 AM


Symptom


  • When reviewing ACC activities  one may observe traffic spike for specific destination or application for short period of time.
  • In the example below filter for the past 30 minutes show the firewall has sent 330GB logs to a dedicated Log Collector. 
User-added image

User-added image
 

Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • ACC ( Application Command Center)

Cause


  1. The amount of bytes is calculated and recorded at the end of the session.
  2. The amount of bytes we see in the ACC is the total amount of bytes transmitted during the lifetime of a session and can be  expected behavior depending on how long the session has been active. 
  3. In the example, this was a session which was active for a few months and the traffic details were recorded at the end of the session.

Resolution


Review the Session information on the firewall for the related traffic under Monitor>Traffic logs to find consistency with the ACC Tab.

Additional Information


Other considerations when using ACC:
  • ACC runs on Summary Database and not on Detailed Database.
  • Summary Databases does not include logs when action is Deny.
  • Summary Databases are created every 15 minutes.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008V8aCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language