PIX xlate logging

Unanswered Question
Nov 9th, 2009
User Badges:

Hi,


We have a PIX-525 running 6.3.5 that is configured for our DMZ & Internet firewall.


e0 = Internet

e1 = DMZ

e2 = LAN


We have a number of static NATs configured for public facing servers and a PAT address for user Internet traffic.


I've been asked to find which internal hosts are consuming the most bandwidth on our network. I checked and it doesn't look like the PIX supports netflow.


Is there a way that I can export the "show xlate" output to a file and sort so as to find which host is being translated the most?


I read a post somewhere about turning logging up on the pix to informational and then review the syslogs for translations/connections being built. Not sure how that may work.



Is there a better way to do this? I'd like to script something if possible but have to admit I'm a noob when it comes to running/writing scripts.


Thanks for the help.


Pete


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Mon, 11/09/2009 - 09:30
User Badges:
  • Purple, 4500 points or more

Pete-


You could do that, but it would be very time consuming. Netflow is the best way to monitor per IP usage. Do you have a router in the inside of your network?

priedman1 Mon, 11/09/2009 - 09:37
User Badges:

Hi Collin.


Thanks for your reply.


We have a Cat6500 (which serves as our core switch) that is connected to this PIX-525. I'm currently using Plixer's Scrutinizer to monitor this switch and see the traffic.


This has shown to be helpful but I figured monitoring the firewall traffic would be the best place to see what's going on.


I also just tried turning up these syslog IDs so my syslog server would see connection setup/teardown info:


logging message 302009 level 4

logging message 302010 level 4

logging message 302013 level 4

logging message 302014 level 4

logging message 302015 level 4

logging message 302016 level 4

logging message 305010 level 4

logging message 305011 level 4

logging message 609001 level 4

logging message 609002 level 4


The problem appears now to be that we're generating so much syslog info that it's going past the 65536 row limit in Excel.



Pete

Collin Clark Mon, 11/09/2009 - 09:41
User Badges:
  • Purple, 4500 points or more

Yup! You'll want to write some sort of script to parse all that info (linux would be best if that's an option). Plixer should be giving you the info you're looking for. If you're monitoring the interface(s) to your firewall, then you're good to go. Are you seeing issues there?

priedman1 Mon, 11/09/2009 - 09:57
User Badges:

Hi Collin,


We're seeing the traffic which is good but our main issue is the volume of traffic being seen. Ideally, we'd like to filter out stuff like LAN <--> DMZ and just see LAN <--> Internet


I guess it's more of a question now of how best to pull out just this information.


Thanks


Pete

Collin Clark Mon, 11/09/2009 - 11:25
User Badges:
  • Purple, 4500 points or more

I don't have Plixer, but can't you create a filter to remove DMZ traffic?

priedman1 Mon, 11/09/2009 - 11:40
User Badges:

Hi Collin


I'm going through the Scrutinizer interface but haven't seen anything yet to filter the traffic.


Thaks for the help.


Pete

Actions

This Discussion