cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2418
Views
0
Helpful
4
Replies
Highlighted
Beginner

Logging recommendations

Are there any recommendations as to when you should choose to log at the beginning or end?  I know in some circumstances, the only option is at the beginning due to the packet being dropped, but what about in other situations?  

For example, I have an access-control rule that has the Balanced Security and Connectivity IPS policy set and a custom File Policy.  The action is set to Allow which should still block bad stuff if it goes through.  Is it better to log at the beginning or end?

My default action for this policy is Network Discovery only.  Is it better to log at the beginning or end?

The only other place I have logging enabled is in the SSL policies and you can only log at the end.

The problem is that I ran into an issue where FMC seemed to have very few events (like maybe an hours worth) whereas previously I had days worth so I have a feeling I have too much logging toggled now.  Running the virtual appliance which looks like it maxes at 10M connection events.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

If you need to see whats

If you need to see whats going on in the network and keep track, you can have logging enabled.

I would suggest to use End-of-Connection in there as well.

For SSL policy you can  have it with end of connection as the SSL policy needs to make decision and then log which will be better.

Rate if helps.

Yogesh

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hi

Hi

For a single connection, the end-of-connection event contains all of the information in the beginning-of-connection event as well as information that was gathered over the duration of the session. For Trust and Allow rules, it is recommended that End-of-Connection is used.

Rate if helps.

Yogesh

Highlighted
Beginner

What if Network Discovery

What if Network Discovery Only is your default action in the access policy?  Should that be logged or not and if so, at the beginning or end?

Highlighted
Cisco Employee

If you need to see whats

If you need to see whats going on in the network and keep track, you can have logging enabled.

I would suggest to use End-of-Connection in there as well.

For SSL policy you can  have it with end of connection as the SSL policy needs to make decision and then log which will be better.

Rate if helps.

Yogesh

View solution in original post

Highlighted
Beginner

Thanks for the info.  I made

Thanks for the info.  I made the necessary tweaks and I'm only getting ~20 hours of connection events.  If I look at the # of rows in Connection events, its only a little over 1 million and the virtual FMC appliance should be able to do 10 Million between connection events and Security Intelligence Events (there are no events in here).  I have a TAC case open to see what the deal is.