FMC / FTD equivalent to ASDM / ASA Top 10 Sources, Destinations, etc.

brettp · ‎08-11-2022

Hello, this is admittedly so basic... I have to apologize... but I can not find the answer anywhere! Threat Detection on the Cisco ASA would populate Top 10 Sources, Destinations, etc. lists that were easily visible within ASDM. What is the equivalent with the FTD / FMC? There is no widget, that I can find, that shows this information. I do see "Traffic by Initiator IP" in the default Connection Summary dashboard, but it's inexplicably showing me just one IP on a network with hundreds of clients. Does this information come from what is being logged only or all traffic passing through the device? Is the only option on the FTD to set up Netflow (NSEL?) and send to a collector? There is no way to do this via FMC? Basically... what happened is that I just set up an FTD on our production network that passing traffic, etc. I noticed throughput hit 950Mbps at a certain time today so I simply wanted to know what generated the spike (which is almost certainly one client pulling in a large file.) I figured FMC would have collected the information by default but I guess not. Any information and/or insight is appreciated! Thanks!

urathod · ‎08-15-2022

Hello @brettp ,

You can use FMC dashboard which have many filters criteria like "Traffic by Initiator IP", "Traffic by Responder IP" & many others.

Please refer attach screenshot.

Also please refer below link for more details & features available in FMC dashboard.

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/dashboards.html

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.”

Let me know if you have any questions.

brettp · ‎08-16-2022

@urathod,

Thank you for the reply and information. I appreciate it! The problem is, when I view that information ("Traffic by Initiator," etc.) it never shows me more than one IP. And I know for a fact, the IP it's showing me does not even belong there as a heavy hitter on the network. It appears to me... though I don't know for sure... that "Traffic by Initiator" it is only showing me traffic that is explicitly logged by the FTD. Is that the widget works? Does this widget only show logged traffic? Is it safe to log all traffic on the FTD when there are hundreds and hundreds of hosts connected? It seems to me the databases would become unwieldy bog everything down. Thank you!

Marvin Rhoads · ‎08-17-2022

@brettp we typically log most if not all ACP rules to FMC. That gives the visibility for the various connection events and allows more complete analysis such as with the widgets yo mentioned. The database tables will perate on a first in first out scheme as they fill up. With FMC 7.0 and higher you can see in the health monitor how long a period the database retains given the current event rate.

For a more full-featured analysis of the types you are asking about many organizations export flow records via Netflow to a separate tool (Cisco SNA/Stealthwatch is one (expensive but very rich functionality) and many other low cost options are available such as ntop (open source) PRTG free version, etc.)

brettp · ‎08-17-2022

@Marvin Rhoads Thank you for the reply. With the ASAs, we sent Netflow to PRTG... I haven't yet set up Netflow (or NSEL) on the FTD but did briefly read about it. Since we're talking aboout it, the ASA real-time logviewer was the most useful feature on the ASA platform, which is essentially lost with the FTD if you don't log all traffic. I don't want to go off on a tangent, but since it is related to my original question. I was afraid to send to log all traffic on the FTD for fear of it causing database issues since they work differently than the ASA. Is that the best practice? Am I being unnecessarily over-cautious? I understand those are basically unanswerable question because it depends on the number of clients, traffic, etc. But I would love to simply log everything... would you say most orgs typically do that with the FTD? Is that best practice? That would certainly give me the visibility I had with the ASA and perhaps accurately populate the widgets. Thank you again!