Re: FMC User web history reports

Warren Sullivan - Corp · ‎08-17-2020

Hi All,

My employer requires that we have the ability to look back at a users web browsing history, whilst these requests are generally for sometime in the last 3-6 months, we are expected to be able to report out to 12 months.

I am aware that you really need to turn logging off on nonessential rules, but we have only just migrated so we really need to have that visibility for a bit yet....

99% of our rules are set to log an end only, not both.

We are using the FMC Virtual product and obviously have limitations on how much we can store on the virtual FMC, so my question is, what are people doing out there to report on this? export to splunk or greylog then filter from there? what syslogs are you exporting from FMC? how do you filter out the noise?

Thanks guys

Marvin Rhoads · ‎08-17-2020

I've not seen anybody doing this well with FMC among my deployments. It's really not a strength of the product. Customers with those sort of requirements are usually going with something like the WSA for its rich reporting capabilities.

Other alternatives are to use CDO management with a SAL subscription instead of FMC. That gives you 90 days by default with longer retention as an option. You could also use Umbrella - again 90 days with the option to send logs to an Amazon S3 bucket that you maintain.

Heino Human · ‎08-19-2020

Hi Warren,

Where I work we have the same requirement to log user ID (AD credentials), IP Address and URL, but for 3 years. In our environment we only log to FMC for what is important and when we need to troubleshoot. Pretty much everything else goes to a syslog server which is then backs up the data remotely.

When you do come to the point where the boss/business states they want the log for a particular user on a given date and time, this is available via syslog.

If they want reporting on it, that is not possible from the FMC or firepower. We have a 4600 appliance and we use ours as an internet firewall and a fusion router, so there are way to much traffic going through it to report on.

Thank you

Heino

Warren Sullivan - Corp · ‎08-19-2020

Thanks Heino for the glimmer of hope, do you mind sharing what syslog IDs you export?

Heino Human · ‎09-06-2020

Hi Warren,

Apologies for the late reply, been absolutely crazy this side.

Below is a sample log on our Syslog server for web traffic and I think this is what you are after.

2020-09-07T04:04:19Z, ConnectionID: 9499, AccessControlRuleAction: Allow, SrcIP: X.X.X.X, DstIP: 151.101.30.133, SrcPort: 58034, DstPort: 443, Protocol: tcp, IngressInterface: STAFF, EgressInterface:

Border_Internet, IngressZone: Z_STAFF, EgressZone: Z_Border, IngressVRF: Global, EgressVRF: Global, ACPolicy: XXXX-Internet, AccessControlRuleName: Allow known users to Internet, Prefilter Policy: XXXX-PreFilter, User: tcoppola, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 0, InitiatorPackets: 8, ResponderPackets: 9, InitiatorBytes: 1170, ResponderBytes: 5386, NAPPolicy: XXXX NAP, URLReputation: Unknown, URL: https://www.bulldogs.com.au

This log is not associated to a SYSLOG ID, rather we have logging enable to the event viewer and syslog for a rule which has an identity policy associated to it.

So its inside to outside network, though you have to be part of the 'internet' group via AD. The ACP is associated to an identity policy to get the source IP associated with an identity.

I hope this helps.

Thank you

Heino