Re: Need to further identify "ip traffic" - NetFlow or something else?

Eric Snijders · ‎08-06-2018

Hi All,

We're massively cleaning up firewall rules to harden the network, but on some interface we have some permit ip any any rules which ofcourse are hit massively. I want to further investigate this but haven't done this before.

What is the go-to to do this? Setup NetFlow? If so, anyone has a suggestion for a good NetFlow Analyzer?

In this case i'm only interested in statistics about source, destination and protocol/port.

Thanks in advance and have a nice day!

Eric

Mohammed al Baqari · ‎08-06-2018

PRTG is good one. You can use Solarwinds NTA (but that is preferred if you
have NPM). Nagios is another option.

What I suggest is to enable log keyword in this ACL and point ASA to syslog
server. Generate logging reports to see connections matching this ACL.

Eric Snijders · ‎08-06-2018

Hi Mohammed,

Thanks for the suggestion! Sorry if i'm asking a stupid question right now, but what exactly do you mean with "generate logging report". We already have a SysLog server setup (allthough it's a really old Kiwi SysLog server) so enabling logging on this specific ACL is no problem. Are the most SysLog applications nowadays capable of generating a report which just gives me statistics? I'm not really interested in the individual logging lines, i'm looking for something that can show me, for example, how many tcp/443 packets from source X to destination X have come by.

Dennis Mink · ‎08-07-2018

you could even simplify this by using a packet capture and do traffic summary using wireshark, than gradually add more granular rules on top of your permit any until you covered everything, then rip the permit any out.

Please remember to rate useful posts, by clicking on the stars below.