Can you verify that I did this connection correctly on our new S170? I greatly appreciate it in advance!
On the switch I created monitor session 1 with the following command:
monitor session 1 source interface Fa6/0/38,Fa2/0/48
monitor session 1 destination interface Gi1/0/40
We have two 50 mbps internet connections, thus the firewalls are only on 100meg (fa) ports as gig-e ports are at a premium and I do not want to waste PoE ports (which are gig e).
Fa6/0/38 is our primary firewall lan side connection to the internet. All traffic from our lan to the outside world must pass through here.
Fa2/0/48 is a failover asa firewall, if for whatever reason the primary is down, the traffic to the outside world would traverse this port through the secondary firewall.
Gi1/0/40 is a gig port that is patched through to the T1 port on the S170 WSA.
The WSA Network > Interfaces screen has L4 Traffic Monitor Wiring set to Duplex TAP: T1 (In/Out)
The Security Services > L4 Traffic Monitor has L4 Traffic Enabled, and traffic is monitored on All ports except web ports (HTTP/HTTPS). Rules are successfully updated and licensing is enabled for this feature.
So is this setup correctly? Is there any way to test? Should I change the L4 Traffic monitor to monitor ALL ports, or do you generally just have the WCCP ports 80 / 443 from the firewall handle all of that filtering and use L4 for "everything else"?
When I go to L4 Traffic Monitor reports, there are no data found. Now likely because there's no suspicious activity or malware, but how can I be sure this is working?
Solved! Go to Solution.
Ok thank you for looking over that. I did have to wait a few hours but I have one hit on it right now. One client IP to server.noblinkvideo.com 126.96.36.199 port 8888, malware connections blocked = 4.
So that tells me its working.