This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Magnus-Holmberg
Advisor
‎2020-11-22 06:15 AM

Amount of traffic

Hi,

Do anyone knows if its possible to check the amount of traffic generate from specific servers behind the firewall?
In this case how many Mbit or traffic amount in GB, i guess netflow would do the trick...

Am aware how to check number of connections/logs etc.
But is it possible to get traffic numbers?

Will smartevent catch this or is that limited to webtraffic such as HTTP/HTTPS?
We are running VSX, R80.30 HFA219.

As far as iknow you need to configure generic netflow and not able to have one destination per VS.
So this complicate things within VSX aswell.

Regards
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
11 Replies
JackPrendergast
Advisor
Advisor
‎2020-11-22 06:31 AM

Magnus,

 

I believe it is possible from SmartEvent.

 

smartevent has a particular generic template with total bandwidth etc.

 

with some modification to the template, I believe you could achieve this.

 

I will try create this for you at some point tomorrow if you don’t beat me to it!

0 Kudos
Magnus-Holmberg
Advisor
‎2020-11-22 06:43 AM
In response to JackPrendergast

hehe thanks!
Smartevent is not my strong side so am sure you will beat me to it 🙂
Only ever used it for websurfing for clients so haven't tried within the network so to say.

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
JackPrendergast
Advisor
Advisor
‎2020-11-22 12:01 PM
In response to Magnus-Holmberg

Magnus,

 

Here you go.

 

The report is abit rough cosmetically, but it will do the job.

 

Let me know if you want it tidying up.

 

This will show the top sources on bandwidth usage. To search for the specific source you want, just simply do the usual search in the search bar - "src:xxx.xxx.xxx.xxx"

 

Note - Make sure accounting is ticked under your log options for your rules!! This is a must! 🙂 

 

https://www.dropbox.com/s/zfd5rvp7wgjxnzp/Application_and_URL_Filtering_Nov_22__2020_7_47_36_PM.cpr?...

0 Kudos
Magnus-Holmberg
Advisor
‎2020-11-22 12:34 PM
In response to JackPrendergast

Thats quick!, i will try to check it out during the week then.
Still need to install a smartevent box and add to the MDS/MLM 🙂

Accounting on the rules..  That's a pain, 1000rules+ and already logging 50G+ per day.


/Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
JackPrendergast
Advisor
Advisor
‎2020-11-23 12:00 PM
In response to Magnus-Holmberg

Accounting is necessary unfortunately. Do you have extended log on any of them rules? Maybe you could look at your logging to try reduce.

 

Much more and you may need to consider additional correlative units for SmartEvent if you want to use it heavily in production

0 Kudos
Magnus-Holmberg
Advisor
‎2020-11-27 12:41 PM
In response to JackPrendergast

Now i have installed a smartevent server attached it to the global domain.
added the specific CMA/CLM within Initial settings correlation units and the CMA in object domains
Installed DB, changed all rules to accounting, left it a few hours but well more or less nothing. i get it like 30.000 events system status says OK.
Firewall is generating like 400.000 logs/hour


Will this actually work with FW only? based on your file @JackPrendergast  am guessing i do need to activate application controll & url filtering aswell
In this case am looking for bandwidth uses within the check point between interfaces.

Regards,
Magnus

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
JackPrendergast
Advisor
Advisor
‎2020-11-28 06:29 AM
In response to Magnus-Holmberg

Shouldnt have to enable URLF&APPC - should be fine with FW only with logs set to accounting

 

Unless I am wrong.. but that should work.

 

Let me know 🙂 

0 Kudos
Magnus-Holmberg
Advisor
‎2020-11-28 08:23 AM
In response to JackPrendergast

Sadly not get it to work, so currently checking on the possibilitys to do it via netflow.

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-22 01:01 PM
In response to JackPrendergast

You should be able to directly attach the .cpr file to a message (or worst case, after zipped).

JackPrendergast
Advisor
Advisor
‎2020-11-23 11:58 AM
In response to PhoneBoy

I tried attaching it directly and it stripped it out. Next time I’ll try zip it! Thanks!

0 Kudos
yunier88
Participant
‎2022-04-15 08:15 AM
In response to JackPrendergast

Hello,

I need to know how much traffic (GB or MB) has passed through our firewall in a year for example. Does anyone know how I can get this information?

 

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events