cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

804
Views
7
Helpful
10
Replies
Anup Sasikumar
Beginner

PIX515E - Internal Nodes - Bandwidth Utilization

Hi Experts,

The infrastructure has PIX515E as the Firewall and few Web Servers and Database Servers inside. Is it possible to retreieve information regarding the bandwidth available at the outside interface of PIX (Internet link utilization ) utilized by each of the nodes seperately? I could use SNMP to get the overall data transfer at the Outside interface of PIX but isit possible to get utilization details of individual nodes ? Is Netflow an option ?

It would be great if you could please put in your valuable suggestions.

Please help !

Regards,

Anup

Regards,
Anup
1 ACCEPTED SOLUTION

Accepted Solutions

The solution is a very easy one:

1- span the port on either the Pix inside or outside and send the traffics from that interface to a Linux machine.

2- on the Linux machine, run tcpdump to collect the data,

3- use open source application to parse the data, and you will be able to see just about everything. 

It works well for me.  You can even detect "microburst" too

Easy right?

View solution in original post

10 REPLIES 10
Jouni Forss
Mentor

Hi,

I can't really think that many options with the PIX alone.

I think the ASDM side has the ability to list top users by different statistics. I'm not sure if the possibility has always been there or if it has come in some certain software. I would imagine though that the very oldest 6.x softwares probably dont support this.

If you have ASDM you could go to

  • Open ASDM
  • At the main "Home" page click the "Firewall Dashboard" tab
  • View the information from the different small windows on the tab


Theres also other sections of the ASDM that gives you some more information on the device performance levels

Though this probably isnt enough when you really want to keep track of the traffic but atleast its something.

As I said before it probably depends on your firewall software/ASDM software what you can actually view.

- Jouni

Hi Jouni ,

Thank you for the response and congrats on becoming the designated VIP for 2013 Security !

Thats correct. ASDM has lot of options on the dashboard for tracking the device performance and parameters but unfortunately they are very limited and not that relevant in the case of the requierement.

I came across this tiny freeware application from Solarwinds which can monitor data transfer through an interface using SNMP in real time and gives you the output in a graph (http://www.solarwinds.com/products/freetools/real-time-bandwidth-monitor.aspx) both traffic in and traffic out. But that too won't be sufficient as it gives only the overall data transfer through the interface.

Internet ->PIX -> Web Servers/Database Servers/Backup Servers

I tried taking the NIC card utilization of Servers but that would include all the network activity , including the internal trafic flow.The infrastructure have backup servers in place which is configured to take regular backup of Web/Database Servers , daily as well as weekly which are in the range of GB . So that's some pretty huge traffic flowing across the internal network. So I am not sure how to go about it.

PIX does not support Netflow too according to this post on CSC (https://supportforums.cisco.com/thread/221338)

Thanks ,

Anup

Regards,
Anup

The solution is a very easy one:

1- span the port on either the Pix inside or outside and send the traffics from that interface to a Linux machine.

2- on the Linux machine, run tcpdump to collect the data,

3- use open source application to parse the data, and you will be able to see just about everything. 

It works well for me.  You can even detect "microburst" too

Easy right?

Hi David ,

Thats a great idea ! I think it would work. But since PIX ports are routed ports rather than  switch ports , I think I need to span the switch port on which the  connection from PIX inside interface terminates . Would that work ?

Thanks,

Anup

Regards,
Anup

yes, the idea is to span the port on the switchport where your Pix is connected to:

monitor session 1 source interface f1/0/9 (this is where your Pix interface is connected to)

monitor session 1 destination interface f1/0/10 (this is where your Linux machine is connected to)

Hi David ,

Thank you so much for the suggestion and I am trying to get that port spanning to work now. I think I would need to do a Remote Spanning as the Linux machine is not connected to the same switch which connects to PIX inside interface.

How would I able to get a graphical view of the traffic to outside ? Which open source application did you use ?

Please help !


Regards,
Anup

Don't forget to rate if you found this helpful !

Regards,
Anup

Cacti is pretty good.  NMIS and OpenNMS are also pretty good.  If you really want to look at the ALL the type of traffics on the outside, in addition to overall traffics, ntop is pretty good at that.  If you have lot of money to spend, have a look at Opnet ACE Live or NetScout.  I personally like ACE Live. 

Hi David ,

Thanks for the suggestions ! It was really helpful.


Regards,
Anup

Regards,
Anup

Hi David ,

Could you please let me know of any apps in Windows platfrom by which I can monitor the traffic . Wireshark ? Will I able to get using Wireshark ? We are probably looking to get a graphical view of the traffic and I dont think its possible using Wireshark. Please help.


Regards,
Anup

Regards,
Anup

It 's a PIX515E with 2 interfaces. Are they routed ports or switch ports ? I think they are routed , since we are assigning an IP directly to the interface and not to a VLAN. I think the only model on which there is an integrated switch is PIX 501 . Is that right ?

Anup

Regards,
Anup
Create
Recognize Your Peers
Content for Community-Ad