Netflow analyzer recommendations

Answered Question
Nov 10th, 2009
User Badges:

I am trying to clean up the access-lists in an ASA firewall. Due to the amount of traffic that goes though it, I have been having trouble getting a list of traffic that is actually travelling though the ASA.


I have been looking at the new Netflow feature of the ASA and it looks like this would be a big help.


Does anybody have any experience with any Netflow Analyzers with the ASA? A perfect solution would allow me to export a summary of all non-established traffic.

Correct Answer by Panos Kampanakis about 7 years 5 months ago

By no means am I selling a 3rd party product here. I have experience that the latest Solarwinds Orion and Plixer's Scrutinizer have worked well for what you want to do for many people.


Here is the wiki that explains it https://supportforums.cisco.com/docs/DOC-6113


I hope it helps.


PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
cisco24x7 Wed, 11/11/2009 - 03:25
User Badges:
  • Silver, 250 points or more

What you need is a product from any of the following vendors:


- Algosec Firewall Analyzer (AFA),

- Tufin SecureTrack,

- Firemon Securepassage,


I personally have experiences with all three but I have NOT used it to clean up access-lists on Cisco devices. I use it to clean up firewall rules on Checkpoint firewalls and they are pretty good. But

these products are what you're looking for. I think Firemon is the cheapeast among those three.


Good luck!!!


mmacdonald70 Wed, 11/11/2009 - 07:05
User Badges:

Thanks. Those look interesting but I don't thing that they are exactly what I need. Since I am planning on replacing the firewall, I wanted to look at actual usage though the firewall, analyse this information to decide what needs to go though and create new access-lists based on this.


Correct me if I'm wrong, but I am under the impression that those products analyse rules to see which are used. For example, if I have the rule:


permit tcp any any eq www, I don't need to see that this rule is used, I would like to see that only server1 is being accessed on port 80 so that I can recreate the rule as:


permit tcp any host server1 eq www



Correct Answer
Panos Kampanakis Wed, 11/11/2009 - 08:51
User Badges:
  • Cisco Employee,

By no means am I selling a 3rd party product here. I have experience that the latest Solarwinds Orion and Plixer's Scrutinizer have worked well for what you want to do for many people.


Here is the wiki that explains it https://supportforums.cisco.com/docs/DOC-6113


I hope it helps.


PK

Collin Clark Wed, 11/11/2009 - 09:27
User Badges:
  • Purple, 4500 points or more

What I do to clean up my rules are clear the ACL counters, let the firewall run as normal for two weeks or so, then remove the ACLs with zero hit counts. Simple but effective. For Netflow, you'll have to be careful, not all apps support the ASA netflow format.

mmacdonald70 Wed, 11/11/2009 - 11:37
User Badges:

Thanks for all the great answers. It looks like the above will work for me. We also use another (unnamed) Netflow product but a) I don't know if it will support NSL and b) I am not happy with the reporting options.

cisco24x7 Thu, 11/12/2009 - 13:15
User Badges:
  • Silver, 250 points or more

"Since I am planning on replacing the firewall, I wanted to look at actual usage though the firewall, analyse this information to decide what needs to go though and create new access-lists based on this."


Now that I understand what you're trying to do, here is my suggestion:


- span the port on the firewall with a cheap sniffer. A linux with a big diskspace will do with tcpdump


- capture the traffics into a file but make sure you rotate the file, like this:


tcpdump -nni eth0 -s 1500 -w /tmp/sniff.cap -C 100 -W 10000


this will rotate the file every 100MB and create about 10000 file.


Now use ethereal and analyze the traffics. I will tell you what traffics to allow and what to denny.


Easy right?

MarkSchtang Sat, 11/21/2009 - 11:21
User Badges:

I've used tufin's APG.

It takes syslogs as input and constructs the acls for you.

Mark.

Actions

This Discussion