Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Amount of traffic

Hi,

Do anyone knows if its possible to check the amount of traffic generate from specific servers behind the firewall?
In this case how many Mbit or traffic amount in GB, i guess netflow would do the trick...

Am aware how to check number of connections/logs etc.
But is it possible to get traffic numbers?

Will smartevent catch this or is that limited to webtraffic such as HTTP/HTTPS?
We are running VSX, R80.30 HFA219.

As far as iknow you need to configure generic netflow and not able to have one destination per VS.
So this complicate things within VSX aswell.

Regards
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Reply
10 Replies
Highlighted
Collaborator

Magnus,

 

I believe it is possible from SmartEvent.

 

smartevent has a particular generic template with total bandwidth etc.

 

with some modification to the template, I believe you could achieve this.

 

I will try create this for you at some point tomorrow if you don’t beat me to it!

0 Kudos
Reply
Highlighted

hehe thanks!
Smartevent is not my strong side so am sure you will beat me to it 🙂
Only ever used it for websurfing for clients so haven't tried within the network so to say.

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Reply
Highlighted
Collaborator

Magnus,

 

Here you go.

 

The report is abit rough cosmetically, but it will do the job.

 

Let me know if you want it tidying up.

 

This will show the top sources on bandwidth usage. To search for the specific source you want, just simply do the usual search in the search bar - "src:xxx.xxx.xxx.xxx"

 

Note - Make sure accounting is ticked under your log options for your rules!! This is a must! 🙂 

 

https://www.dropbox.com/s/zfd5rvp7wgjxnzp/Application_and_URL_Filtering_Nov_22__2020_7_47_36_PM.cpr?...

0 Kudos
Reply
Highlighted

Thats quick!, i will try to check it out during the week then.
Still need to install a smartevent box and add to the MDS/MLM 🙂

Accounting on the rules..  That's a pain, 1000rules+ and already logging 50G+ per day.


/Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Reply
Highlighted
Collaborator

Accounting is necessary unfortunately. Do you have extended log on any of them rules? Maybe you could look at your logging to try reduce.

 

Much more and you may need to consider additional correlative units for SmartEvent if you want to use it heavily in production

0 Kudos
Reply
Highlighted

Now i have installed a smartevent server attached it to the global domain.
added the specific CMA/CLM within Initial settings correlation units and the CMA in object domains
Installed DB, changed all rules to accounting, left it a few hours but well more or less nothing. i get it like 30.000 events system status says OK.
Firewall is generating like 400.000 logs/hour


Will this actually work with FW only? based on your file @JackPrendergast  am guessing i do need to activate application controll & url filtering aswell
In this case am looking for bandwidth uses within the check point between interfaces.

Regards,
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Reply
Highlighted
Collaborator

Shouldnt have to enable URLF&APPC - should be fine with FW only with logs set to accounting

 

Unless I am wrong.. but that should work.

 

Let me know 🙂 

0 Kudos
Reply
Highlighted

Sadly not get it to work, so currently checking on the possibilitys to do it via netflow.

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Reply
Highlighted
Admin
Admin

You should be able to directly attach the .cpr file to a message (or worst case, after zipped).

Highlighted
Collaborator

I tried attaching it directly and it stripped it out. Next time I’ll try zip it! Thanks!

0 Kudos
Reply