Archive

how to get total hit count value for traffic passing through ANY ANY rule on firewall:

Engager

I have a firewall which have a rule with any as source destination and ports, I need to monitor this traffic and check what source and destination ips are passing through along with ports/service information. the following coorelation search provide me the perfect results but in huge events with multiple duplicate traffic, I don't want to use dedup command as if will miss some traffic.

index=paloalto-firewall host="firewall IP" rule="any any rule name" | table time clientip srczone destip destzone destport rule srcinterface destinterface action

Expected results I need as table: where as 555 is the total hits for this traffic passing through any any rule.

clientip | srczone | destip | destzone | dest port |rule | srcinterface | destinterface | action |hitcounts
*192.168.1.1 | Inside
zone | 192.168.2.1 | dmz_zone | 80 | rulename | if1 | fi2 | allowed | 555
*

Any help would be greatly appreciated.

0 Karma
1 Solution

Communicator

does using stats solve the problem?

index=paloalto-firewall host="firewall IP" rule="any any rule name" | stats count by client_ip src_zone dest_ip dest_zone dest_port rule src_interface dest_interface action

View solution in original post

Communicator

does using stats solve the problem?

index=paloalto-firewall host="firewall IP" rule="any any rule name" | stats count by client_ip src_zone dest_ip dest_zone dest_port rule src_interface dest_interface action

View solution in original post

Engager

Thanks, it does provide the required results.

0 Karma