Palo Alto Firewalls - Identifying Bandwidth Usage
Palo Alto firewalls do not by default provide a graphic that shows administrators bandwidth usage. To get this data, the QoS feature needs to be enabled on all interfaces, which will then provide statistics on bandwidth usage in real-time. Administrators will need to correlate the upload and download bandwidth by identifying the interfaces in question when identifying sources of bandwidth use. Using that Applications and Security Rules statistics under each interface will help narrow down potential source IP addresses. The use of the App Scope ‘Summary’ under the ‘Monitor’ tab will be useful in obtaining historical bandwidth usage and finding specific IP addresses that are using large amounts of bandwidth to help correlate events.
Enable QoS Feature for Graphic Traffic Monitoring
To enable the Palo Alto Firewall to provide real-time bandwidth usage, you can deploy the QoS feature to all physical interfaces. This will not deploy QoS for traffic control, it will only enable identification of the applications, bandwidth usage and security rules used in real-time.
Add each interface that needs to be monitored in real-time
Note: Add Tunnel Interfaces under the QoS profile it is associated to, in the example below Ethernet1/1 is to the Internet and tunnel.1 for GlobalProtect was added under that profile
Example QoS Interface configuration for Physical Interface:
Note: Egress Max should be left to 0 so that it will default to the firewall limit for that platform. If you were deploying QoS to actually enforce traffic control, then it is recommended to configure this setting.
Example QoS Interface configuration for Tunneled Interface:
After deploying the QoS Interfaces, they will start providing real-time bandwidth usage; which can be accessed by clicking ‘Statistics’ on the right of the QoS Interface:
Once you are viewing the QoS interface statistics, select ‘default-group’ and you will see the real-time bandwidth usage. Remember that the graph is only showing the egress/upload traffic from the interface, no ingress traffic is being shown.
Note: this will classify all traffic as ‘class 4’ traffic
If you want to see which applications are sending traffic at that time, select the ‘Application’ tab to see the AppID and bytes sent.
To correlate traffic flow, you will want to find which interface the offending IP address(es) is behind and view that QoS Interface as well; this will provide the egress/download traffic bandwidth. Again, the graphic is only showing traffic egressing that specific interface.
And again if you want to view the applications seen over this interface, select the ‘Applications’ tab, and this will help correlate the upload and download bandwidth usage in real-time and help identify which applications are causing high utilization.
Administrators will want to identify which Security Rules are being hit when evaluating bandwidth usage. This will help narrow down the potential source IP addresses, depending on how the security rule is configured of course.
Monitor - App Scope
To help find the specific IP addresses Administrators will need to review the Summary section of App Scope. Here you can get a quick snapshot of the most recent IP addresses that consumed the most bandwidth and use this information to correlate to the Security Rules and Applications seen from the QoS interface Statistics.
To obtain a more granular view of bytes (or sessions) used by a specific IP address, Administrators can go to ‘Network Monitor’ under App Scope. Here they can filter and run a report to view the time and source IP address that consumed the most data during an event.