07-30-2016 02:36 PM - edited 02-21-2020 05:52 AM
Hi Folks, Interested to hear how far back in the Connection Events time are people able to go?
WIth a virtual FMC in production for about 2 months with maximum managed hosts and the default settings we quickly went down to 24 hours.
Ie we could not search back in time further than 24 hours. I've tweaked the settings and got a little more out of it.
Anyone know how to determine what flows or protocols are causing the exhaustion?
Thx
Solved! Go to Solution.
08-02-2016 10:16 AM
Hi ,
I think Jetsy meant to avoid logging on Trust rules not the "Allow rules" , Avoid logging internal traffic like traffic between inside to dmz servers etc .Also use logging either at beginning or end of connection.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
07-30-2016 09:15 PM
Your logging settings will be what is chewing it.
Some things you can do:
07-31-2016 02:45 AM
Would be good to know what the 'top 10' protocols are that caused the exhaustion.
Thx - I've stopped logging for DNS, snmp, and kerberos for now. Interested to see how much more i get out of it before turning off logging start.
FYI, by default the product does't alert you to event connection pruning unless you apply an email address.
07-31-2016 11:07 PM
Hello Team,
Please refer to the database limits for the configuration part. Configuring beyond that limit will affect the system performances.
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-8018593
For the best practice to avoid pruning , please avoid logging enable at both beginning and end of the connections. Either use beginning or end of connection. Avoid loggining connections for allow rules. Give priority to important rules and enable logging for those.
Rate and mark correct if the post helps you
Regards
Jetsy
08-01-2016 02:07 PM
Hi Jetsy,
what do you mean by 'avoid logging connections fro alllow rules'?
If one has an allow rule with IPS and File Malware, are you saying not to log at all?
I think alot of companies will not have many rules and will have a rule like I mention above. So when I read this line it says to me to predominantly not log event connections at all.
08-02-2016 10:16 AM
Hi ,
I think Jetsy meant to avoid logging on Trust rules not the "Allow rules" , Avoid logging internal traffic like traffic between inside to dmz servers etc .Also use logging either at beginning or end of connection.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
08-03-2016 05:36 PM
That makes more sense. What I have been surprised to find is that http logging also creates a separate log for the reply traffic. Ie External ip, src port 443. Boy can that lead to alot of logs.
For anyone new, dont' forget the Email address in the Configure>Database page to get alerted for connection wrapping. It will happen, and happen quick. One customer had wrapping in 10 minutes, yes 1 000 000 connections in 10 minutes
07-31-2016 09:55 PM
Lets say I disable logging completely for DNS udp/tcp. Will DNS IPS events still be caught? I believe so, but my testing is sending me alerts anymore (but I have correlation to look at too). Just want to rule this out.
**managed to answer this with a bit more testing - yes disabling logging in ACL still results in alerts for IPS** what you'd expect really
04-11-2018 09:43 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide