Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FMC Connection History - how far back is the average

Hi Folks, Interested to hear how far back in the Connection Events time are people able to go?

WIth a virtual FMC in production for about 2 months with maximum managed hosts and the default settings we quickly went down to 24 hours.

Ie we could not search back in time further than 24 hours. I've tweaked the settings and got a little more out of it.

Anyone know how to determine what flows or protocols are causing the exhaustion?

Thx

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi ,

Hi ,

I think Jetsy meant to avoid logging on Trust rules not the "Allow rules" , Avoid logging internal traffic like traffic between inside to dmz servers etc .Also use logging either at beginning or end of connection.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

8 REPLIES
VIP Purple

Your logging settings will be

Your logging settings will be what is chewing it.

Some things you can do:

  • Only log the end of the flow, not the start and end
  • Create rules for high volume flows you are not interested and set the logging to none.

Community Member

Would be good to know what

Would be good to know what the 'top 10' protocols are that caused the exhaustion. 

Thx - I've stopped logging for DNS, snmp, and kerberos for now. Interested to see how much more i get out of it before turning off logging start.

FYI, by default the product does't alert you to event connection pruning unless you apply an email address.

Cisco Employee

Hello Team,

Hello Team,

Please refer to the database limits for the configuration part. Configuring beyond that limit will affect the system performances.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-8018593

For the best practice to avoid pruning , please avoid logging enable at both beginning and end of the connections. Either use beginning or end of connection. Avoid loggining connections for allow rules. Give priority to important rules and enable logging for those.

Rate and mark correct if the post helps you

Regards

Jetsy

Community Member

Hi Jetsy, 

Hi Jetsy, 

what do you mean by 'avoid logging connections fro alllow rules'?

If one has an allow rule with IPS and File Malware, are you saying not to log at all?

I think alot of companies will not have many rules and will have a rule like I mention above. So when I read this line it says to me to predominantly not log event connections at all.

Cisco Employee

Hi ,

Hi ,

I think Jetsy meant to avoid logging on Trust rules not the "Allow rules" , Avoid logging internal traffic like traffic between inside to dmz servers etc .Also use logging either at beginning or end of connection.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Community Member

That makes more sense. What I

That makes more sense. What I have been surprised to find is that http logging also creates a separate log for the reply traffic. Ie External ip, src port 443. Boy can that lead to alot of logs. 

For anyone new, dont' forget the Email address in the Configure>Database page to get alerted for connection wrapping. It will happen, and happen quick. One customer had wrapping in 10 minutes, yes 1 000 000 connections in 10 minutes

Community Member

Lets say I disable logging

Lets say I disable logging completely for DNS udp/tcp. Will DNS IPS events still be caught? I believe so, but my testing is sending me alerts anymore (but I have correlation to look at too). Just want to rule this out.

**managed to answer this with a bit more testing - yes disabling logging in ACL still results in alerts for IPS** what you'd expect really

Highlighted
Community Member

Re: Your logging settings will be

Wouldn't logging only at the end miss the initiator IP addr of the connection event?
667
Views
0
Helpful
8
Replies
CreatePlease to create content