tag:blog.tmcnet.com,2012-01-03:/advanced-netflow-traffic-analysis//164 2013-06-01T16:02:38Z tag:blog.tmcnet.com,2012:/advanced-netflow-traffic-analysis//164.50343 2012-11-25T15:31:43Z 2013-06-01T16:02:38Z

Michael Patterson http://blog.tmcnet.com/advanced-netflow-traffic-analysis/ NetFlow Reporting by including a Firewall Event element in PAN-OS 5.0.  This new field will provide a few new advantages to Firewall Administrators.  These improvements to their NetFlow export can be seen in multiple ways:
The ability to trend flows Deleted, Created or Denied for example allows administrators to gain visibility into historical baselines on how the Next Generation Firewall traditionally treats traffic headed for the internet.



If an abnormal spike or drop occurs in the above trend, administrators can drill in to find out what machines were involved and which applications were being used at the time.  This data can also be bundled together with multiple firewalls to gain a more enterprise view of the corporate Internet behavior.

Administrators can use the above report to set thresholds on volumes of unacceptable 'denied' events.  If a host causes connections in a way that violates a threshold, unacceptable rates of denied violations can trigger events which lead to notifications. 

 
Administrators can also use the NetFlow Reporting solution to filter for a specific host which might be having trouble communicating through the Next Generation Firewall.  They can then run a Palo Alto Networks 'Events' report to find out what specifically is in the end systems traffic that is causing a "Flow Denied" event to occur.

Configuring a Palo Alto Networks Firewall to export NetFlow is straight forward process and the value gained is considerable.  Industry leading NetFlow features include:

• Application Awareness: They use Deep Packet Inspection (DPI) to identify and separate applications that share ports such as TCP 80.
• Username: If users have to authenticate with Active Director or LDAP, the firewall can tie the username to the flows.  This eases trouble shooting efforts during times of forensic analysis.
• Network Address Translation: This can be a big time saver when trying to find out what an IP address was internally before it was NAT'ed by the firewall.
• Firewall Event: The newest edition to their export provides the values outlined above.
• Syslog Correlation with NetFlow: The message log exported by the firewall can be formatted into IPFIX and correlated with the NetFlow data to ensure speedy identification of potential attacks

Vendors recognize that Flow technology is a primary feature necessary to be a contender in the Next Generation Firewall space.  Clearly Palo Alto Networks understands which features matter most and has moved quickly to service the needs of their customer base and has partnered with Plixer to bring them to market.

The combined Plixer and Palo Alto solution also includes:

• Host reputation monitoring
• Enterprise application usage and performance monitoring
• Mitigation of evolving threats
• Audit trails of all internal and external traffic
• The very best in network performance reporting

With thousands of customers, Scrutinizer plays a key role across global 2000 enterprises and governments.  Scrutinizer can detect zero-day types of malware including APT attacks.


]]>