Re: PIX xlate logging

priedman1 · ‎11-09-2009

Hi,

We have a PIX-525 running 6.3.5 that is configured for our DMZ & Internet firewall.

e0 = Internet

e1 = DMZ

e2 = LAN

We have a number of static NATs configured for public facing servers and a PAT address for user Internet traffic.

I've been asked to find which internal hosts are consuming the most bandwidth on our network. I checked and it doesn't look like the PIX supports netflow.

Is there a way that I can export the "show xlate" output to a file and sort so as to find which host is being translated the most?

I read a post somewhere about turning logging up on the pix to informational and then review the syslogs for translations/connections being built. Not sure how that may work.

Is there a better way to do this? I'd like to script something if possible but have to admit I'm a noob when it comes to running/writing scripts.

Thanks for the help.

Pete

Collin Clark · ‎11-09-2009

Pete-

You could do that, but it would be very time consuming. Netflow is the best way to monitor per IP usage. Do you have a router in the inside of your network?

priedman1 · ‎11-09-2009

Hi Collin.

Thanks for your reply.

We have a Cat6500 (which serves as our core switch) that is connected to this PIX-525. I'm currently using Plixer's Scrutinizer to monitor this switch and see the traffic.

This has shown to be helpful but I figured monitoring the firewall traffic would be the best place to see what's going on.

I also just tried turning up these syslog IDs so my syslog server would see connection setup/teardown info:

logging message 302009 level 4

logging message 302010 level 4

logging message 302013 level 4

logging message 302014 level 4

logging message 302015 level 4

logging message 302016 level 4

logging message 305010 level 4

logging message 305011 level 4

logging message 609001 level 4

logging message 609002 level 4

The problem appears now to be that we're generating so much syslog info that it's going past the 65536 row limit in Excel.

Pete

Collin Clark · ‎11-09-2009

Yup! You'll want to write some sort of script to parse all that info (linux would be best if that's an option). Plixer should be giving you the info you're looking for. If you're monitoring the interface(s) to your firewall, then you're good to go. Are you seeing issues there?

priedman1 · ‎11-09-2009

Hi Collin,

We're seeing the traffic which is good but our main issue is the volume of traffic being seen. Ideally, we'd like to filter out stuff like LAN <--> DMZ and just see LAN <--> Internet

I guess it's more of a question now of how best to pull out just this information.

Thanks

Pete

Collin Clark · ‎11-09-2009

I don't have Plixer, but can't you create a filter to remove DMZ traffic?

priedman1 · ‎11-09-2009

Hi Collin

I'm going through the Scrutinizer interface but haven't seen anything yet to filter the traffic.

Thaks for the help.

Pete

jakewilson · ‎01-26-2010

Hello,

We get quite a few calls on the NetFlow from the ASA. The NetFlow it exports is kind of unique. Check out this PDF:
http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

Thanks for considering Scrutinizer.

Jake