Hi Folks, Interested to hear how far back in the Connection Events time are people able to go?
WIth a virtual FMC in production for about 2 months with maximum managed hosts and the default settings we quickly went down to 24 hours.
Ie we could not search back in time further than 24 hours. I've tweaked the settings and got a little more out of it.
Anyone know how to determine what flows or protocols are causing the exhaustion?
Solved! Go to Solution.
Your logging settings will be what is chewing it.
Some things you can do:
Would be good to know what the 'top 10' protocols are that caused the exhaustion.
Thx - I've stopped logging for DNS, snmp, and kerberos for now. Interested to see how much more i get out of it before turning off logging start.
FYI, by default the product does't alert you to event connection pruning unless you apply an email address.
Please refer to the database limits for the configuration part. Configuring beyond that limit will affect the system performances.
For the best practice to avoid pruning , please avoid logging enable at both beginning and end of the connections. Either use beginning or end of connection. Avoid loggining connections for allow rules. Give priority to important rules and enable logging for those.
Rate and mark correct if the post helps you
what do you mean by 'avoid logging connections fro alllow rules'?
If one has an allow rule with IPS and File Malware, are you saying not to log at all?
I think alot of companies will not have many rules and will have a rule like I mention above. So when I read this line it says to me to predominantly not log event connections at all.
That makes more sense. What I have been surprised to find is that http logging also creates a separate log for the reply traffic. Ie External ip, src port 443. Boy can that lead to alot of logs.
For anyone new, dont' forget the Email address in the Configure>Database page to get alerted for connection wrapping. It will happen, and happen quick. One customer had wrapping in 10 minutes, yes 1 000 000 connections in 10 minutes
Lets say I disable logging completely for DNS udp/tcp. Will DNS IPS events still be caught? I believe so, but my testing is sending me alerts anymore (but I have correlation to look at too). Just want to rule this out.
**managed to answer this with a bit more testing - yes disabling logging in ACL still results in alerts for IPS** what you'd expect really