Use Case: Monitor Applications Using Panorama
This example takes you through the process of assessing
the efficiency of your current policies and determining where you
need to adjust them to fortify the acceptable use policies for your
network.
When you log in to Panorama, the Top Applications widget
on the Dashboard gives a preview of the most
used applications over the last hour. To display the widget, select in the toolbar.
You can either glance over the list of top applications and mouse
over each application block for which you want to review the details,
or you can select the ACC tab to view the
same information as an ordered list. The following image is a view
of the Top Applications widget on the Dashboard.
Top Applications Widget
The data source for this display is the application statistics
database; it does not use the Traffic logs and is generated whether
or not you have enabled logging for security rules. This view into
the traffic on your network depicts everything that is allowed on
your network and is flowing through unblocked by any policy rules
that you have defined.
In the ACC tab, you can select and toggle
the Data Source to be local on Panorama or
you can query the managed firewalls (Remote Device Data)
for the data; Panorama automatically aggregates and displays the
information. For a speedier flow, consider using Panorama as the
data source (with log forwarding to Panorama enabled) because the
time to load data from the managed firewalls varies by the time
period for which you choose to view data and the volume of traffic
that is generated on your network. If your managed firewalls have
a combination of PAN-OS 7.0 and earlier versions, Remote
Device Data is not available.
The
Dashboard example in
Figure 1 shows
DNS as a popular application. If you click the DNS application block,
Panorama opens the tab with DNS applied as a global filter
and shows information on the application, users who accessed the
application, and the details on the risk level and characteristics
of the application.
Network Activity Tab
In the User Activity widget, you can see
how many users are using DNS and the volume of traffic being generated.
If you have enabled User-ID, you can view the names of the users
who are generating this traffic, and drill in to review all the
sessions, content or threats associated with each user.
In the Threat Activity tab, view the Compromised
Hosts widget to see what correlation objects were matched
on, and view the match evidence associated with the user and application.
You can also view the threat name, category and ID in the Threat
Activity widget.
With DNS set as a global filter, use the Destination
IP Activity and the Destination Regions widgets to
verify where the traffic was destined. You can also view the ingress
and egress zones and the security rule that is letting this connection
through.
For more detailed information, jump into the Traffic logs
for a filtered view
and review each log entry for ports used, packets sent, bytes sent
and received. Adjust the columns to view more information or less information
based on your needs.
The >
Traffic Map tab displays a geographical map of the traffic
flow and provides a view of incoming versus outgoing traffic. You
can also use the tab to view
changes in traffic patterns. For example, compare the top applications
used over this hour to the last week or month to determine if there
is a pattern or trend.
With all the information you have now uncovered, you can evaluate
what changes to make to your policy configurations. Here are some
suggestions to consider:
Be restrictive and create a pre-rule on Panorama to block
or allow all DNS traffic. Then use Panorama device groups to create
and push this policy rule to one or more firewalls.
Enforce bandwidth use limits and create a QoS profile and
policy rule that de-prioritizes non-business traffic. Use Panorama
device groups and templates to
configure QoS and then
push rules to one or more firewalls.
Schedule a custom report group that pulls together the activity
for the specific user and that of top applications used on your
network to observe that pattern for another week or two before taking action.
Besides checking for a specific application, you can also check
for any unknown applications in the list of top applications. These
are applications that did not match a defined App-ID™ signature
and display as unknown-udp and unknown-tcp. To delve into these
unknown applications, click on the name to drill down to the details
for the unclassified traffic.
Use the same process to investigate the top source IP addresses
of the hosts that initiated the unknown traffic along with the IP
address of the destination host to which the session was established.
For unknown traffic, the traffic logs, by default, perform a packet
capture (pcap) when an unknown application is detected. The green
arrow in the left column represents the packet capture snippet of
the application data. Clicking on the green arrow displays the pcap
in the browser.
Having the IP addresses of the servers (destination IP), the
destination port, and the packet captures, you will be better positioned
to identify the application and make a decision on how you would
like to take action on your network. For example, you can create
a custom application that identifies this traffic instead of labeling
it as unknown TCP or UDP traffic. Refer to the article
Identifying Unknown Applications for
more information on identifying unknown application and
Custom Application Signatures for
information on developing custom signatures to discern the application.