topic If you need to see whats in Network Security

Logging recommendations

m.yost — Tue, 12 Mar 2019 13:01:21 GMT

Are there any recommendations as to when you should choose to log at the beginning or end? I know in some circumstances, the only option is at the beginning due to the packet being dropped, but what about in other situations?

For example, I have an access-control rule that has the Balanced Security and Connectivity IPS policy set and a custom File Policy. The action is set to Allow which should still block bad stuff if it goes through. Is it better to log at the beginning or end?

My default action for this policy is Network Discovery only. Is it better to log at the beginning or end?

The only other place I have logging enabled is in the SSL policies and you can only log at the end.

The problem is that I ran into an issue where FMC seemed to have very few events (like maybe an hours worth) whereas previously I had days worth so I have a feeling I have too much logging toggled now. Running the virtual appliance which looks like it maxes at 10M connection events.

Hi

yogdhanu — Tue, 24 May 2016 16:02:11 GMT

For a single connection, the end-of-connection event contains all of the information in the beginning-of-connection event as well as information that was gathered over the duration of the session. For Trust and Allow rules, it is recommended that End-of-Connection is used.

Rate if helps.

Yogesh

What if Network Discovery

m.yost — Tue, 24 May 2016 18:09:42 GMT

What if Network Discovery Only is your default action in the access policy? Should that be logged or not and if so, at the beginning or end?

If you need to see whats

yogdhanu — Tue, 24 May 2016 18:17:53 GMT

If you need to see whats going on in the network and keep track, you can have logging enabled.

I would suggest to use End-of-Connection in there as well.

For SSL policy you can have it with end of connection as the SSL policy needs to make decision and then log which will be better.

Rate if helps.

Yogesh

Thanks for the info. I made

m.yost — Thu, 26 May 2016 13:37:30 GMT

Thanks for the info. I made the necessary tweaks and I'm only getting ~20 hours of connection events. If I look at the # of rows in Connection events, its only a little over 1 million and the virtual FMC appliance should be able to do 10 Million between connection events and Security Intelligence Events (there are no events in here). I have a TAC case open to see what the deal is.