How to monitor internet usage on PIX

pambosch · ‎04-29-2003

we have a PIX 515 with ADSL connection to our Internet provider.We want to monitor internet usage from internal users.Basically we sometimes see high input traffic to the external interface of the firewall (we see that from PDM monitoring) which means that someone is downloading traffic from the internet.I want to monitor which specific user consumes the most internet bandwidth. Can we do this with a third-party tool?

Appreciate any help on this issue.

Thanks.

jmia · ‎04-30-2003

Hi Pambos,

Two things come to mind here, 1. You could enble pix logging and use standard hyperterminal to connect via consol port on the pix, this will show you who is accessing what from your inside network - I have this in place myself, also 2. if you have a internet router (cisco 1600 etc) you could enable IP Accounting to the internet interface and see which IP is chweing up you bandwith.

Hope this helps-

dwalsh · ‎05-14-2003

Take a look at Private I from Open Systems I think. It's very good, but kind of pricey.

Dave

pambosch · ‎05-14-2003

thanks a lot for the reply.

I will have a look at it.

Thanks

cody.rowland · ‎05-16-2003

I had a very similar issue so I thought I'd share my solution since it's been working well. What I ended up doing was mirroring (SPAN) the PIX port on our Catalyst 4006 switch. I then setup a workstation running Sniffer to monitor the mirrored port. With this in place I can monitor all inbound/outbound traffic coming through the default gateway. The Sniffer package is nice because I always have a visual representation of how much data is being transferred in and out and I can see the "Top 10 Hosts by Total Bytes Transferred". I can see what and where they are transferring data as well as capture the data for follow-up later on. Many of our users were surprised when we started "magically" cracking down on unauthorized use of company resources in this way. It doesn't take long before they start to police themselves out of fear of getting caught.

Hope this helps.

Cody Rowland

Infrastructure Engineer

pambosch · ‎05-16-2003

dear Cody,

Thanks a lot for the reply. Could you please tell me what sniffer brand you are using?

Thanks again

cody.rowland · ‎05-16-2003

We're using Sniffer Pro Version 4.5. You can go to www.sniffer.com for more information. Unfortunately, they have one of the most confusing websites of all time. They have MANY solutions, most of which are hardware based and very $$$. The package we have is just software and pretty much does the same thing as Ethereal (which is free) or MS Netmon. The only difference are the bells and whistles that allow you to see graphs and charts etc.

rahil.patel · ‎02-06-2004

You can enable netflow on your external router & collect statistics. If you are familiar with linux, there are many tools available for free that can give you user/usage stats. If you are a windows person, there are commercial software's available to collect netflow data. If you are interested in this direction, let me know & I can list you some of the available software's.

It only take 3-5 commands to enable netflow on the router.

e-mourad · ‎06-22-2004

Hi,

You can use a proxy Internet that is connected to the Internet with a PAT configuration. So, you can config the use PC to pass through the proxy. In the proxy you may define your policy and log settings. I use Wingate for proxy-cache and sawmill to analyse the log.

Hope this help u.

adrian.grigorof · ‎06-25-2004

See FireGen for Pix Log Analyzer. Lots of features, security analysis, traffic reports, configuration analysis, ip forensics and more.

See http://www.eventid.net/firegen/firegenpix2.asp