cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
749
Views
0
Helpful
2
Replies
keithsauer507
Contributor

Verify L4 traffic monitor setup on S170?

Can you verify that I did this connection correctly on our new S170?  I greatly appreciate it in advance!

On the switch I created monitor session 1 with the following command:

monitor session 1 source interface Fa6/0/38,Fa2/0/48

monitor session 1 destination interface Gi1/0/40

 

We have two 50 mbps internet connections, thus the firewalls are only on 100meg (fa) ports as gig-e ports are at a premium and I do not want to waste PoE ports (which are gig e).

Fa6/0/38 is our primary firewall lan side connection to the internet.  All traffic from our lan to the outside world must pass through here.

Fa2/0/48 is a failover asa firewall, if for whatever reason the primary is down, the traffic to the outside world would traverse this port through the secondary firewall.

Gi1/0/40 is a gig port that is patched through to the T1 port on the S170 WSA.

The WSA Network > Interfaces screen has L4 Traffic Monitor Wiring set to Duplex TAP: T1 (In/Out)

The Security Services > L4 Traffic Monitor has L4 Traffic Enabled, and traffic is monitored on All ports except web ports (HTTP/HTTPS).  Rules are successfully updated and licensing is enabled for this feature.

 

So is this setup correctly?  Is there any way to test?  Should I change the L4 Traffic monitor to monitor ALL ports, or do you generally just have the WCCP ports 80 / 443 from the firewall handle all of that filtering and use L4 for "everything else"?

When I go to L4 Traffic Monitor reports, there are no data found.  Now likely because there's no suspicious activity or malware, but how can I be sure this is working?  

 

1 ACCEPTED SOLUTION

Accepted Solutions
Ken Stieers
Engager

It looks like its set up correctly.

I set mine to watch "Everything else"

 

I'm not sure how to test to see if it alarms...

 

View solution in original post

2 REPLIES 2
Ken Stieers
Engager

It looks like its set up correctly.

I set mine to watch "Everything else"

 

I'm not sure how to test to see if it alarms...

 

View solution in original post

Ok thank you for looking over that.  I did have to wait a few hours but I have one hit on it right now.  One client IP to server.noblinkvideo.com 104.237.129.152 port 8888, malware connections blocked = 4.

 

So that tells me its working.

Content for Community-Ad