The ability to trend flows Deleted, Created or Denied for example allows administrators to gain visibility into historical baselines on how the Next Generation Firewall traditionally treats traffic headed for the internet.
If an abnormal spike or drop occurs in the above trend, administrators can drill in to find out what machines were involved and which applications were being used at the time. This data can also be bundled together with multiple firewalls to gain a more enterprise view of the corporate Internet behavior.
Administrators can use the above report to set thresholds on volumes of unacceptable 'denied' events. If a host causes connections in a way that violates a threshold, unacceptable rates of denied violations can trigger events which lead to notifications.
Administrators can also use the NetFlow Reporting solution to filter for a specific host which might be having trouble communicating through the Next Generation Firewall. They can then run a Palo Alto Networks 'Events' report to find out what specifically is in the end systems traffic that is causing a "Flow Denied" event to occur.
Configuring a Palo Alto Networks Firewall to export NetFlow is straight forward process and the value gained is considerable. Industry leading NetFlow features include:
- Application Awareness: They use Deep Packet Inspection (DPI) to identify and separate applications that share ports such as TCP 80.
- Username: If users have to authenticate with Active Director or LDAP, the firewall can tie the username to the flows. This eases trouble shooting efforts during times of forensic analysis.
- Network Address Translation: This can be a big time saver when trying to find out what an IP address was internally before it was NAT'ed by the firewall.
- Firewall Event: The newest edition to their export provides the values outlined above.
- Syslog Correlation with NetFlow: The message log exported by the firewall can be formatted into IPFIX and correlated with the NetFlow data to ensure speedy reconnaissance of potential attacks
The combined Plixer and Palo Alto solution also includes:
- Host reputation monitoring
- Enterprise application usage and performance monitoring
- Mitigation of evolving threats
- Audit trails of all internal and external traffic
- The very best in network performance reporting