cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
2
Replies
Highlighted
Enthusiast

Verify L4 traffic monitor setup on S170?

Can you verify that I did this connection correctly on our new S170?  I greatly appreciate it in advance!

On the switch I created monitor session 1 with the following command:

monitor session 1 source interface Fa6/0/38,Fa2/0/48

monitor session 1 destination interface Gi1/0/40

 

We have two 50 mbps internet connections, thus the firewalls are only on 100meg (fa) ports as gig-e ports are at a premium and I do not want to waste PoE ports (which are gig e).

Fa6/0/38 is our primary firewall lan side connection to the internet.  All traffic from our lan to the outside world must pass through here.

Fa2/0/48 is a failover asa firewall, if for whatever reason the primary is down, the traffic to the outside world would traverse this port through the secondary firewall.

Gi1/0/40 is a gig port that is patched through to the T1 port on the S170 WSA.

The WSA Network > Interfaces screen has L4 Traffic Monitor Wiring set to Duplex TAP: T1 (In/Out)

The Security Services > L4 Traffic Monitor has L4 Traffic Enabled, and traffic is monitored on All ports except web ports (HTTP/HTTPS).  Rules are successfully updated and licensing is enabled for this feature.

 

So is this setup correctly?  Is there any way to test?  Should I change the L4 Traffic monitor to monitor ALL ports, or do you generally just have the WCCP ports 80 / 443 from the firewall handle all of that filtering and use L4 for "everything else"?

When I go to L4 Traffic Monitor reports, there are no data found.  Now likely because there's no suspicious activity or malware, but how can I be sure this is working?  

 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Collaborator

It looks like its set up

It looks like its set up correctly.

I set mine to watch "Everything else"

 

I'm not sure how to test to see if it alarms...

 

2 REPLIES 2
Collaborator

It looks like its set up

It looks like its set up correctly.

I set mine to watch "Everything else"

 

I'm not sure how to test to see if it alarms...

 

Enthusiast

Ok thank you for looking over

Ok thank you for looking over that.  I did have to wait a few hours but I have one hit on it right now.  One client IP to server.noblinkvideo.com 104.237.129.152 port 8888, malware connections blocked = 4.

 

So that tells me its working.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards
This widget could not be displayed.