05-24-2016 07:58 AM - edited 03-12-2019 06:01 AM
Are there any recommendations as to when you should choose to log at the beginning or end? I know in some circumstances, the only option is at the beginning due to the packet being dropped, but what about in other situations?
For example, I have an access-control rule that has the Balanced Security and Connectivity IPS policy set and a custom File Policy. The action is set to Allow which should still block bad stuff if it goes through. Is it better to log at the beginning or end?
My default action for this policy is Network Discovery only. Is it better to log at the beginning or end?
The only other place I have logging enabled is in the SSL policies and you can only log at the end.
The problem is that I ran into an issue where FMC seemed to have very few events (like maybe an hours worth) whereas previously I had days worth so I have a feeling I have too much logging toggled now. Running the virtual appliance which looks like it maxes at 10M connection events.
Solved! Go to Solution.
05-24-2016 11:17 AM
If you need to see whats going on in the network and keep track, you can have logging enabled.
I would suggest to use End-of-Connection in there as well.
For SSL policy you can have it with end of connection as the SSL policy needs to make decision and then log which will be better.
Rate if helps.
Yogesh
05-24-2016 09:02 AM
Hi
For a single connection, the end-of-connection event contains all of the information in the beginning-of-connection event as well as information that was gathered over the duration of the session. For Trust and Allow rules, it is recommended that End-of-Connection is used.
Rate if helps.
Yogesh
05-24-2016 11:09 AM
What if Network Discovery Only is your default action in the access policy? Should that be logged or not and if so, at the beginning or end?
05-24-2016 11:17 AM
If you need to see whats going on in the network and keep track, you can have logging enabled.
I would suggest to use End-of-Connection in there as well.
For SSL policy you can have it with end of connection as the SSL policy needs to make decision and then log which will be better.
Rate if helps.
Yogesh
05-26-2016 06:37 AM
Thanks for the info. I made the necessary tweaks and I'm only getting ~20 hours of connection events. If I look at the # of rows in Connection events, its only a little over 1 million and the virtual FMC appliance should be able to do 10 Million between connection events and Security Intelligence Events (there are no events in here). I have a TAC case open to see what the deal is.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide