cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


86
Views
0
Helpful
2
Replies
Beginner

How to analyse traffic, then build ACL rules?

I am building a new network solution and at the perimeter I have an ASA firewall.

At the moment, as it is in a pre-production state, I have a completely open ACL. Obviously, I will need to harden this up, but to do that I wondered if there was a way to analyse existing flows and build ACL rules around them?

Trying to manually identify all the ports/protocols/IPs, etc is a very laborious task.

Are there any automated tools out there (Open Source please!) that do this?

Does anyone on here have any handy hints that could reduce the man hours I'll have to spend?

 

Any comments welcome :)

Everyone's tags (1)
2 REPLIES 2
Highlighted
VIP Advisor

Hi there,Configure netflow

Hi there,

Configure netflow and send the collected data to a netflow processor.

 

My netflow collector of choice is nfdump/nfsen (http://nfsen.sourceforge.net/), it is simple to configure and of course open-source.

 

You could also enable threat-detection statistics on your ASA, but this take an additional hit on the CPU:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/protect-threat.html#pgfId-1316394

 

cheers,

Seb.

I am building a new network

I am building a new network solution and at the perimeter I have an ASA firewall.

At the moment, as it is in a pre-production state, I have a completely open ACL. Obviously, I will need to harden this up, but to do that I wondered if there was a way to analyse existing flows and build ACL rules around them?

Trying to manually identify all the ports/protocols/IPs, etc is a very laborious task.

Are there any automated tools out there (Open Source please!) that do this?

Does anyone on here have any handy hints that could reduce the man hours I'll have to spend?


Any comments welcome :)

Hi,

You can send the traffic logs to syslog server and from there you can create convertible excel format of all traffic pattern to create a ACE for ASA.

Hope That Help..

-GI