Hi All

I have been working with the ASA devices for a very long time but am very new with the Sourcefire modules, so sorry if I am asking a silly question here!

We currently have two 5516-x series with the firepower module that are managed by a Virtual FMC. All of our policies are in place and everything is working well. We have noticed recently that any reporting we run only includes data from the access rules that have a log entry in them however (which I guess makes sense).

Our access rules work on the basis of blocking any traffic that we don't want (peer to peer / certain categories etc.) and then the policy default rule is a balanced security and connection ids rule which will then allow anything else.

We have a requirement to track what websites users are using, and some of the management team want a daily report to see who is using the internet, what sites they are visiting and for how long as well. In order to do this my understanding is that I will need to create a new rule in my access policy with a "allow" entry and then log at the beginning and end of connection.

Will this not create a LOT of data though? And will the data auto rotate itself? we have around 200 users, and I'm just a little concerned that this will kill the FMC? The logic I am using is similar to the log keyword you would get on a traditional ACL..

Appreciate any advise on this

Regards

Kamran