Abnormal traffic volume value is displayed on Network Monitor Report
537
Created On 10/27/22 03:22 AM - Last Modified 01/29/25 23:08 PM
Symptom
- Abnormal syslog traffic volume value is displayed suddenly on Network Monitor Report.
- The traffic is not expected since there is no traffic log entries for this traffic.
Environment
- Palo Alto Firewall or Panorama
- Supported PAN-OS
- Network Monitor Report for Application
Cause
- Service Route setting to transfer traffic logs.
- No intra-zone security policy is configured.
Resolution
- The Network Monitor Report for Application comes from "appstat," it's not from the traffic logs.
- Appstat information comes from Dataplane directly, and it does not need log setting to record.
- Appstat records application traffic volume at the end of "syslog" session.
- This is the reason the syslog traffic recorded a high volume value suddenly.
Additional Information
- To check the specific application's traffic log and appstat log, use the following commands.
show log traffic csv-output equal yes direction equal backward app equal syslog show log appstat csv-output equal yes direction equal backward name equal syslog - To check the actual logging rate, use the following command.
debug log-receiver statistics - To check the active session information, use the following commands.
show session all filter application syslog show session id xxxx <--- enter the syslog traffic session idExample:
admin@PAN-TEST> show session all filter application syslog -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 136567 syslog ACTIVE FLOW 172.16.184.1[51360]/L3-Trust/17 (172.16.184.1[51360]) vsys1 172.16.140.222[514]/L3-Trust (172.16.140.222[514]) admin@PAN-TEST> show session id 136567 Session 136567 c2s flow: source: 172.16.184.1 [L3-Trust] dst: 172.16.140.222 proto: 17 sport: 51360 dport: 514 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 172.16.140.222 [L3-Trust] dst: 172.16.184.1 proto: 17 sport: 514 dport: 51360 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Wed Oct 26 20:11:56 2022 timeout : 30 sec time to live : 15 sec total byte count(c2s) : 800 total byte count(s2c) : 0 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 0 vsys : vsys1 application : syslog rule : intrazone-default service timeout override(index) : False session to be logged at end : False session in session ager : True session updated by HA peer : False layer7 processing : completed URL filtering enabled : False session via syn-cookies : False session terminated on host : True session traverses tunnel : False session terminate tunnel : False captive portal session : False ingress interface : ethernet1/6 egress interface : ethernet1/6 session QoS rule : N/A (class 4) tracker stage l7proc : ctd app has no decoder end-reason : unknown