ASA-5516-X Firepower FMC log / report
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2016 03:31 AM - edited 02-21-2020 05:57 AM
Hi All
I have been working with the ASA devices for a very long time but am very new with the Sourcefire modules, so sorry if I am asking a silly question here!
We currently have two 5516-x series with the firepower module that are managed by a Virtual FMC. All of our policies are in place and everything is working well. We have noticed recently that any reporting we run only includes data from the access rules that have a log entry in them however (which I guess makes sense).
Our access rules work on the basis of blocking any traffic that we don't want (peer to peer / certain categories etc.) and then the policy default rule is a balanced security and connection ids rule which will then allow anything else.
We have a requirement to track what websites users are using, and some of the management team want a daily report to see who is using the internet, what sites they are visiting and for how long as well. In order to do this my understanding is that I will need to create a new rule in my access policy with a "allow" entry and then log at the beginning and end of connection.
Will this not create a LOT of data though? And will the data auto rotate itself? we have around 200 users, and I'm just a little concerned that this will kill the FMC? The logic I am using is similar to the log keyword you would get on a traditional ACL..
Appreciate any advise on this
Regards
Kamran
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2016 06:53 AM
Hi
Just to let anyone who has a similar concern in the future, we raised ended up logging on the ids policy as it achieved the same result, made hardly any difference to the consumed RAM/CPU power of the FMC so looks ok to do it
Just to be certain I did raise a TAC case also and was told this is the recommended way of doing this
