Use Case: Monitor Applications Using Panorama

This example takes you through the process of assessing the efficiency of your current policies and determining where you need to adjust them to fortify the acceptable use policies for your network.
When you log in to Panorama, the
Top Applications
widget on the
Dashboard
gives a preview of the most used applications over the last hour. To display the widget, select
Widgets
Application
Top Applications
in the toolbar. You can either glance over the list of top applications and mouse over each application block for which you want to review the details, or you can select the
ACC
tab to view the same information as an ordered list. The following image is a view of the
Top Applications
widget on the
Dashboard
.
Top Applications Widget
acc_bittorrent.png
The data source for this display is the application statistics database; it does not use the Traffic logs and is generated whether or not you have enabled logging for security rules. This view into the traffic on your network depicts everything that is allowed on your network and is flowing through unblocked by any policy rules that you have defined.
In the
ACC
tab, you can select and toggle the
Data Source
to be local on
Panorama
or you can query the managed firewalls (
Remote Device Data
) for the data; Panorama automatically aggregates and displays the information. For a speedier flow, consider using Panorama as the data source (with log forwarding to Panorama enabled) because the time to load data from the managed firewalls varies by the time period for which you choose to view data and the volume of traffic that is generated on your network. If your managed firewalls have a combination of PAN-OS 7.0 and earlier versions,
Remote Device Data
is not available.
The
Dashboard
example in Figure 1 shows BitTorrent as a popular application. If you click the BitTorrent application block, Panorama opens the
ACC
Network Activity
tab with BitTorrent applied as a global filter and shows information on the application, users who accessed the application, and the details on the risk level and characteristics of the application.
Network Activity Tab
acc_merged.png
In the
User Activity
widget, you can see how many users are using BitTorrent and the volume of traffic being generated. If you have enabled User-ID, you can view the names of the users who are generating this traffic, and drill in to review all the sessions, content or threats associated with each user.
In the
Threat Activity
tab, view the
Compromised Hosts
widget to see what correlation objects were matched on, and view the match evidence associated with the user and application. You can also view the threat name, category and ID in the
Threat Activity
widget.
With BitTorrent set as a global filter, use the
Destination IP Activity
and the
Destination Regions
widgets to verify where the traffic was destined. You can also view the ingress and egress zones and the security rule that is letting this connection through.
For more detailed information, jump into the Traffic logs jump-to-logs.PNG for a filtered view and review each log entry for ports used, packets sent, bytes sent and received. Adjust the columns to view more information or less information based on your needs.
The
Monitor
App-Scope
> Traffic Map
tab displays a geographical map of the traffic flow and provides a view of incoming versus outgoing traffic. You can also use the
Monitor
App-Scope
Change Monitor
tab to view changes in traffic patterns. For example, compare the top applications used over this hour to the last week or month to determine if there is a pattern or trend.
With all the information you have now uncovered, you can evaluate what changes to make to your policy configurations. Here are some suggestions to consider:
  • Be restrictive and create a pre-rule on Panorama to block all BitTorrent traffic. Then use Panorama device groups to create and push this policy rule to one or more firewalls.
  • Enforce bandwidth use limits and create a QoS profile and policy rule that de-prioritizes non-business traffic. Use Panorama device groups and templates to configure QoS and then push rules to one or more firewalls.
  • Reduce risk to your network assets and create an application filter that blocks all file sharing applications that are peer-to-peer technology with a risk factor of 4 or 5. Make sure to verify that the BitTorrent application is included in that application filter, and will therefore be blocked.
  • Schedule a custom report group that pulls together the activity for the specific user and that of top applications used on your network to observe that pattern for another week or two before taking action.
Besides checking for a specific application, you can also check for any unknown applications in the list of top applications. These are applications that did not match a defined App-ID™ signature and display as unknown-udp and unknown-tcp. To delve into these unknown applications, click on the name to drill down to the details for the unclassified traffic.
Use the same process to investigate the top source IP addresses of the hosts that initiated the unknown traffic along with the IP address of the destination host to which the session was established. For unknown traffic, the traffic logs, by default, perform a packet capture (pcap) when an unknown application is detected. The green arrow in the left column represents the packet capture snippet of the application data. Clicking on the green arrow displays the pcap in the browser.
Having the IP addresses of the servers (destination IP), the destination port, and the packet captures, you will be better positioned to identify the application and make a decision on how you would like to take action on your network. For example, you can create a custom application that identifies this traffic instead of labeling it as unknown TCP or UDP traffic. Refer to the article Identifying Unknown Applications for more information on identifying unknown application and Custom Application Signatures for information on developing custom signatures to discern the application.

Related Documentation