Solved: Cisco FirePower Reporting - Bandwidth Statistics

John5mith · ‎05-17-2017

Hi All,

I was hoping someone could shed some light on how I can create a bandwidth report to show utilization stats for traffic entering the inside interface and existing the outside interface on my Cisco Firepower ASA.

I currently have a 'Connection Summary Data' report showing Traffic (KB/s) against Time (see 'Report Parameters' attached) but this looks like an aggregated report for all interfaces as the KB/s shown in the report (see 'Report Output' attached) look like it is way above our Internet line speed. So I was wondering whether there was any way which a report could be created to show only traffic existing the outside interface?

Thanks,
John

Marvin Rhoads · ‎05-18-2017

I don't think you can do that with FMC.

I'd suggest doing Netflow on the ASA itself and using a Netflow collector like PRTG, ManageEngine etc. to create your reports.

View solution in original post

Marvin Rhoads · ‎05-18-2017

I don't think you can do that with FMC.

I'd suggest doing Netflow on the ASA itself and using a Netflow collector like PRTG, ManageEngine etc. to create your reports.

John5mith · ‎05-22-2017

Thanks Marvin. You would think that this should be possible as it seems the device is logging this data. Do you know whether anything is possible with the use of estreamer combined with a 3rd party application or is this purely for security event reporting?

Marvin Rhoads · ‎05-22-2017

You're welcome.

You're right - one would think this would be a simple query that they would have pre-built reports for the administrator to use. I gave similar feedback to Cisco just last week.

AFAIK, eStreamer cannot be used for this purpose. Per the eStreamer Integration Guide:

The service can stream the following categories of data:

Intrusion event data and event extra data
Correlation (compliance) event data
Discovery event data
User event data
Metadata for events
Host information
Malware event data

Source:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/api/eStreamer/EventStreamerIntegrationGuide_621/Intro.html

John5mith · ‎05-24-2017

Thanks again much appreciated!

guibarati · ‎01-17-2018

I stubbed upon this question looking for something else, but here is how I do it:

Go to Analysis -> Connection Events, Click Edit Search, configure the search constrain to specific Zone/Interfaces (ingress or egress).

The, select the time period you want to sample, Click on "Switch Workflow", select the option "Traffic over time"

This should give you the graph you are looking for.

Austin Clark · ‎06-19-2019

This only works if you are logging all traffic as connection events.

guibarati · ‎06-19-2019

This is correct. with the workflow the FMC will show you the information based on the "connection events" table. It will show you an aggregate graph of the "initiator bytes" or "responder bytes" depending on the graph you select.

Another thing I found out since my post is that you can't filter traffic based on source or destination zones for the graphs. You can use source/destination zones on the connection events table, but not on the graphs.

When you open the "search" page for the connection events it will show you an asterisk "*" on the fields that can be used as search constrains on the graphs and src/dst zones are not one of them. So you would have to use something like the subnet IPs that are related to each zone to get the bandwidth for specific zone pairs.

cyborgzhouse · ‎05-03-2022

I have traffic graphing on the Firepower Threat devices. You have to use the LINA OS partition using the FTD management interface.

This works on everything except the Azure or AWS virtual FTD's. I use CACTI for traffic graphing.

Chris