Solved: Netflow analyzer recommendations

mmacdonald70 · ‎11-10-2009

I am trying to clean up the access-lists in an ASA firewall. Due to the amount of traffic that goes though it, I have been having trouble getting a list of traffic that is actually travelling though the ASA.

I have been looking at the new Netflow feature of the ASA and it looks like this would be a big help.

Does anybody have any experience with any Netflow Analyzers with the ASA? A perfect solution would allow me to export a summary of all non-established traffic.

Panos Kampanakis · ‎11-11-2009

By no means am I selling a 3rd party product here. I have experience that the latest Solarwinds Orion and Plixer's Scrutinizer have worked well for what you want to do for many people.

Here is the wiki that explains it https://supportforums.cisco.com/docs/DOC-6113

I hope it helps.

PK

View solution in original post

cisco24x7 · ‎11-11-2009

What you need is a product from any of the following vendors:

- Algosec Firewall Analyzer (AFA),

- Tufin SecureTrack,

- Firemon Securepassage,

I personally have experiences with all three but I have NOT used it to clean up access-lists on Cisco devices. I use it to clean up firewall rules on Checkpoint firewalls and they are pretty good. But

these products are what you're looking for. I think Firemon is the cheapeast among those three.

Good luck!!!

mmacdonald70 · ‎11-11-2009

Thanks. Those look interesting but I don't thing that they are exactly what I need. Since I am planning on replacing the firewall, I wanted to look at actual usage though the firewall, analyse this information to decide what needs to go though and create new access-lists based on this.

Correct me if I'm wrong, but I am under the impression that those products analyse rules to see which are used. For example, if I have the rule:

permit tcp any any eq www, I don't need to see that this rule is used, I would like to see that only server1 is being accessed on port 80 so that I can recreate the rule as:

permit tcp any host server1 eq www

Panos Kampanakis · ‎11-11-2009

By no means am I selling a 3rd party product here. I have experience that the latest Solarwinds Orion and Plixer's Scrutinizer have worked well for what you want to do for many people.

Here is the wiki that explains it https://supportforums.cisco.com/docs/DOC-6113

I hope it helps.

PK

Collin Clark · ‎11-11-2009

What I do to clean up my rules are clear the ACL counters, let the firewall run as normal for two weeks or so, then remove the ACLs with zero hit counts. Simple but effective. For Netflow, you'll have to be careful, not all apps support the ASA netflow format.

mmacdonald70 · ‎11-11-2009

Thanks for all the great answers. It looks like the above will work for me. We also use another (unnamed) Netflow product but a) I don't know if it will support NSL and b) I am not happy with the reporting options.

cisco24x7 · ‎11-12-2009

"Since I am planning on replacing the firewall, I wanted to look at actual usage though the firewall, analyse this information to decide what needs to go though and create new access-lists based on this."

Now that I understand what you're trying to do, here is my suggestion:

- span the port on the firewall with a cheap sniffer. A linux with a big diskspace will do with tcpdump

- capture the traffics into a file but make sure you rotate the file, like this:

tcpdump -nni eth0 -s 1500 -w /tmp/sniff.cap -C 100 -W 10000

this will rotate the file every 100MB and create about 10000 file.

Now use ethereal and analyze the traffics. I will tell you what traffics to allow and what to denny.

Easy right?

MarkSchtang · ‎11-21-2009

I've used tufin's APG.

It takes syslogs as input and constructs the acls for you.

Mark.