11-21-2022 11:41 PM
Hi,
I have a Cisco WSA S390 cluster up and running.
On my monitoring system I have a Netflow sensor running for my ASA.
For last night I see the IP address of the active member of the WSA cluster transferring a lot of data (50GB) with xxx.amazonaws.com.
Now I want to see which client is downloading the data via the WSA, but if I filter for the specific time last night, I just see 2kb with 2 transactions during that time.
I already have seen that a couple of times. I seems like not all traffic is getting written to the logs.
Does it maybe have something to do if the connection is build by clients falling under a no authentication policy? We have some devices added to "no authentication".
Are there other known reasons why not all traffic is being logged?
11-21-2022 11:44 PM
based on the logs how you configured you can see in the dashboard what IP transfered that data
is this managed by SMA ?
11-21-2022 11:54 PM
Hi,
we do not have a SMA (you mean Security Management Appliance, right?) running. We are managing both members by itself.
If I filter for amazonaws.com for last night, I just see 2kb of data, not 50GB.
11-22-2022 12:06 AM
Hello,
can you post the Netflow configuration of your ASA ?
11-22-2022 04:55 AM
class-map netflow_inet
match any
policy-map global_policy
class netflow_inet
flow-export event-type all destination xx.xx.xx.xx
11-22-2022 03:27 AM
is is only 1 time, you can see on dashboard top clients ?
if the WSA it self trying to get some data it wont show there (but not that i am aware WSA try to get 50GB data).
11-22-2022 05:23 AM
Hi,
that is strange. Now I can see the traffic in the logs. It took a couple of hours.
Is this a normal behaviour?
Traffic was between 0:45AM and 1:45AM Central European Time. I checked the dashboard at 8:30AM CET.
Now I looked up again at 13:30PM CET and I can see over 80GB of data loaded from cloudsink.net / amazonaws.
Turns out this was an update for Crowdstrike..
11-22-2022 05:26 AM
not that delay we expected. until it was ongoing took time to complete to report ?
11-22-2022 11:04 AM
Hello,
I am pretty sure AWS adds its own timestamp, and somehow that overrides your local settings. How that can happen...we need to find out, if possible, how and where the Crowdstrike data is hosted exactly (e.g. S3 bucket). Is there a way for you to get that information ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide