topic Re: ASA top talkers in Network Security

ASA top talkers

pugliededaniele88 — Fri, 21 Feb 2020 14:38:18 GMT

Dear all,

from PRTG monitoring a saw that many time the bandwith of my connection is full. I need to know what is the clients that generating more traffic. Is there a method to know this ? from ASDM or CLI ?

Thank you,

Daniele.

Re: ASA top talkers

Rahul Govindan — Fri, 03 Nov 2017 14:26:40 GMT

You can do this on the ASDM using the Firewall Dashboard. Under Home tab, Navigate to the Firewall Dashboard tab and enable the Top Usage Stats dashboard on the right hand section. You can then see this information in bar, pie or table format.

Re: ASA top talkers

pugliededaniele88 — Fri, 03 Nov 2017 15:23:58 GMT

Hi,

I found the section but the monitoring stay in stuck on loading. I will wait if I can obtain the information...

Thank you,

For your help !

Re: ASA top talkers

Rahul Govindan — Fri, 03 Nov 2017 17:13:43 GMT

Usually takes a while to populate some of the dashboards as the default period is 1 hour for most of them.

Re: ASA top talkers

pugliededaniele88 — Wed, 08 Nov 2017 10:18:52 GMT

Hi,

I obtained this data form the firewall dashboard. I don't unterstand why i see as source pubblic ip address. Can you explain me ?

The top user section doesn't work because I don't have the AD connected to asa.

Thank you,

Daniele

Re: ASA top talkers

chris phillips — Wed, 08 Nov 2017 11:31:27 GMT

You see public IP's as the source address as the traffic is likely originating from the internet and going to you. For example someone in your lan is downloading something from that source address and the ASDM is reporting that a lot of traffic is coming from that IP. Also it could mean that someone at that source IP is sending that data into your network if you have a service setup to receive that data (ftp or sftp server?).

As you have PRTG you could configure netflow on the ASA and have it send the traffic information data to PRTG & PRTG can then compile a list of top talkers for you, you then won't need to have ASDM constantly open. Netflow on PRTG will be much more useful to you.

https://supportforums.cisco.com/t5/security-documents/configuring-netflow-on-asa-with-asdm/ta-p/3119466

PRTG support doc on configuring netflow on ASA 55XX series.

https://kb.paessler.com/en/topic/1423-how-to-monitor-cisco-asa-firewalls-using-netflow-9-and-prtg

Re: ASA top talkers

pugliededaniele88 — Thu, 09 Nov 2017 09:47:26 GMT

Hi,

I tried to configure netflow on ASA but the following command seems doesn't works

policy-map global_policy
class class-default
flow-export event-type all destination x.x.x.x yy

The following error is showed

Giulianova-FW# conf t
Giulianova-FW(config)# policy-map global_policy
Giulianova-FW(config-pmap)# class class-default
Giulianova-FW(config-pmap-c)# flow-export event-type all destination 10.111.1.$

flow-export event-type all destination 10.111.1.102 2055
^
ERROR: % Invalid Hostname
Giulianova-FW(config-pmap-c)# $destination 10.111.1.102 ?

mpf-policy-map-class mode commands/options:
Hostname or A.B.C.D Destination IP address or name
<cr>
Giulianova-FW(config-pmap-c)# $destination 10.111.1.102

He ask me the ip address but I already put in the IP.

Anyway after that I configured PRTG I can see the netflow protocol I don't know how but I see that. In the asa configuration I had configured only snmp. I don't unterstand how I can see netflow also...

Re: ASA top talkers

chris phillips — Thu, 09 Nov 2017 11:02:34 GMT

that is weird that it works without the full config, PRTG is good but i don't think its good enough to defy the ASA config 🙂

I can't test it right now but i'm wondering if you need the word "destination", maybe substitute "destination" for the actual IP.

can you do a ? on the following and confirm?

Giulianova-FW(config-pmap-c)# flow-export event-type all ?

Re: ASA top talkers

pugliededaniele88 — Thu, 09 Nov 2017 14:44:21 GMT

Hi,

the destination command is needed:

Giulianova-FW(config)# policy-map global_policy
Giulianova-FW(config-pmap)# class class-default
Giulianova-FW(config-pmap-c)# flow-export event-type all ?

mpf-policy-map-class mode commands/options:
destination Export specified NetFlow events to destination