Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Netflow analyzer recommendations

I am trying to clean up the access-lists in an ASA firewall. Due to the amount of traffic that goes though it, I have been having trouble getting a list of traffic that is actually travelling though the ASA.

I have been looking at the new Netflow feature of the ASA and it looks like this would be a big help.

Does anybody have any experience with any Netflow Analyzers with the ASA? A perfect solution would allow me to export a summary of all non-established traffic.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Netflow analyzer recommendations

By no means am I selling a 3rd party product here. I have experience that the latest Solarwinds Orion and Plixer's Scrutinizer have worked well for what you want to do for many people.

Here is the wiki that explains it https://supportforums.cisco.com/docs/DOC-6113

I hope it helps.

PK

7 REPLIES
Silver

Re: Netflow analyzer recommendations

What you need is a product from any of the following vendors:

- Algosec Firewall Analyzer (AFA),

- Tufin SecureTrack,

- Firemon Securepassage,

I personally have experiences with all three but I have NOT used it to clean up access-lists on Cisco devices. I use it to clean up firewall rules on Checkpoint firewalls and they are pretty good. But

these products are what you're looking for. I think Firemon is the cheapeast among those three.

Good luck!!!

New Member

Re: Netflow analyzer recommendations

Thanks. Those look interesting but I don't thing that they are exactly what I need. Since I am planning on replacing the firewall, I wanted to look at actual usage though the firewall, analyse this information to decide what needs to go though and create new access-lists based on this.

Correct me if I'm wrong, but I am under the impression that those products analyse rules to see which are used. For example, if I have the rule:

permit tcp any any eq www, I don't need to see that this rule is used, I would like to see that only server1 is being accessed on port 80 so that I can recreate the rule as:

permit tcp any host server1 eq www

Cisco Employee

Re: Netflow analyzer recommendations

By no means am I selling a 3rd party product here. I have experience that the latest Solarwinds Orion and Plixer's Scrutinizer have worked well for what you want to do for many people.

Here is the wiki that explains it https://supportforums.cisco.com/docs/DOC-6113

I hope it helps.

PK

Re: Netflow analyzer recommendations

What I do to clean up my rules are clear the ACL counters, let the firewall run as normal for two weeks or so, then remove the ACLs with zero hit counts. Simple but effective. For Netflow, you'll have to be careful, not all apps support the ASA netflow format.

New Member

Re: Netflow analyzer recommendations

Thanks for all the great answers. It looks like the above will work for me. We also use another (unnamed) Netflow product but a) I don't know if it will support NSL and b) I am not happy with the reporting options.

Silver

Re: Netflow analyzer recommendations

"Since I am planning on replacing the firewall, I wanted to look at actual usage though the firewall, analyse this information to decide what needs to go though and create new access-lists based on this."

Now that I understand what you're trying to do, here is my suggestion:

- span the port on the firewall with a cheap sniffer. A linux with a big diskspace will do with tcpdump

- capture the traffics into a file but make sure you rotate the file, like this:

tcpdump -nni eth0 -s 1500 -w /tmp/sniff.cap -C 100 -W 10000

this will rotate the file every 100MB and create about 10000 file.

Now use ethereal and analyze the traffics. I will tell you what traffics to allow and what to denny.

Easy right?

New Member

Re: Netflow analyzer recommendations

I've used tufin's APG.

It takes syslogs as input and constructs the acls for you.

Mark.

641
Views
8
Helpful
7
Replies