06-25-2020 01:03 AM - edited 06-25-2020 01:05 AM
Hi,
I have found the below article which describes how to create a workflow in FMC to display hit count for access rules.
This works great. But we have several thousand rules under one access policy and the workflow can retain hit count data for only about 10 minutes. As this workflow displays hit counts for all the access rules
Is it possible to create workflow in this manner for only one access rule under a access policy?
Any idea would be appreciated
Thanks in advance,
Zobaarul
Solved! Go to Solution.
07-05-2020 04:34 AM
I see. If your ACP rule logs connections it would be better to just do Analysis > Connections and filter on the interesting traffic. You could create a report from such a query and get information for as far back as your FMC has connection events.
06-25-2020 04:59 AM
What is your use case for wanting this? Is it to store the data or present in a report or show on a dashboard or something else?
06-27-2020 08:03 AM
Hi,
Thanks for your feedback.
We have some access rules with larger block/any keyword in source, destination and port field. We want to find out the specific IPs/ports in those any or larger blocks which are actually being used or getting any hits. Then replace the larger blocks or any keywords with these specific IPs/ports
Using the method mentioned in the link I shared in my post, we could see the hits. But only for a small amount of time like previous 5 to 10 minutes.
I think this workflow generates a report based on the connection event logs in event viewer. So even If i could make such workflow with only one access rule, it might not get me additional data. Increasing event viewer retaining capacity might provide me with more data.
If you have any idea about this and could share here, it would be much appreciated
07-05-2020 04:34 AM
I see. If your ACP rule logs connections it would be better to just do Analysis > Connections and filter on the interesting traffic. You could create a report from such a query and get information for as far back as your FMC has connection events.
07-08-2020 10:29 AM
Thanks for your suggestion. Filtering connection events with access rule name works for me better than the workflow
07-08-2020 11:18 AM
If you are running version 6.4 or higher you could use the Analyze Hit Counts function located on the Access Control Policy page. Will show you the name of the rule, how many hits the rules have and the time of last hit.
08-04-2020 01:25 AM
Thanks for the reply. We use that option. But only seeing the number of hits does not meet my requirement here. I need the source IP, destination IP and port for a particular hit.
Thought connection event retains this info for s short time. Combining the search from connection event and analyze hit count somewhat served my purpose.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide