Solved: FMC Connection History - how far back is the average

evan.chadwick1 · ‎07-30-2016

Hi Folks, Interested to hear how far back in the Connection Events time are people able to go?

WIth a virtual FMC in production for about 2 months with maximum managed hosts and the default settings we quickly went down to 24 hours.

Ie we could not search back in time further than 24 hours. I've tweaked the settings and got a little more out of it.

Anyone know how to determine what flows or protocols are causing the exhaustion?

Thx

Aastha Bhardwaj · ‎08-02-2016

Hi ,

I think Jetsy meant to avoid logging on Trust rules not the "Allow rules" , Avoid logging internal traffic like traffic between inside to dmz servers etc .Also use logging either at beginning or end of connection.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

View solution in original post

Philip D'Ath · ‎07-30-2016

Your logging settings will be what is chewing it.

Some things you can do:

Only log the end of the flow, not the start and end
Create rules for high volume flows you are not interested and set the logging to none.

evan.chadwick1 · ‎07-31-2016

Would be good to know what the 'top 10' protocols are that caused the exhaustion.

Thx - I've stopped logging for DNS, snmp, and kerberos for now. Interested to see how much more i get out of it before turning off logging start.

FYI, by default the product does't alert you to event connection pruning unless you apply an email address.

Jetsy Mathew · ‎07-31-2016

Hello Team,

Please refer to the database limits for the configuration part. Configuring beyond that limit will affect the system performances.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-8018593

For the best practice to avoid pruning , please avoid logging enable at both beginning and end of the connections. Either use beginning or end of connection. Avoid loggining connections for allow rules. Give priority to important rules and enable logging for those.

Rate and mark correct if the post helps you

Regards

Jetsy

evan.chadwick1 · ‎08-01-2016

Hi Jetsy,

what do you mean by 'avoid logging connections fro alllow rules'?

If one has an allow rule with IPS and File Malware, are you saying not to log at all?

I think alot of companies will not have many rules and will have a rule like I mention above. So when I read this line it says to me to predominantly not log event connections at all.

Aastha Bhardwaj · ‎08-02-2016

Hi ,

I think Jetsy meant to avoid logging on Trust rules not the "Allow rules" , Avoid logging internal traffic like traffic between inside to dmz servers etc .Also use logging either at beginning or end of connection.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

evan.chadwick1 · ‎08-03-2016

That makes more sense. What I have been surprised to find is that http logging also creates a separate log for the reply traffic. Ie External ip, src port 443. Boy can that lead to alot of logs.

For anyone new, dont' forget the Email address in the Configure>Database page to get alerted for connection wrapping. It will happen, and happen quick. One customer had wrapping in 10 minutes, yes 1 000 000 connections in 10 minutes

evan.chadwick1 · ‎07-31-2016

Lets say I disable logging completely for DNS udp/tcp. Will DNS IPS events still be caught? I believe so, but my testing is sending me alerts anymore (but I have correlation to look at too). Just want to rule this out.

**managed to answer this with a bit more testing - yes disabling logging in ACL still results in alerts for IPS** what you'd expect really

lax_dannyz · ‎04-11-2018

Wouldn't logging only at the end miss the initiator IP addr of the connection event?