4

Taking a look at the ASDM (6.4) for my ASA 5520, I get a nice summary of the traffic status, with items like "interface traffic usage", and "connections per second".

This works well, but only shows the data for the last 5-6 minutes or so.

Recently, I've been asked whether it's possible to pull up this same type of traffic data for a particular time in the past. (Such as: Find the traffic usage for a 3 minute period from date xx:xx:xx @ time xx:xx:xx)

I've noticed that my ASA 5520 is logging the warning, errors, etc that it is processing. But traffic data is not logged (yet) according to my search through the ASA.

Is logging the traffic data amounts (as wondered above) actually a possibility? Is there any way to find out the past data for traffic and such values?

Thanks!

j2k4j
  • 119
  • 1
  • 4
  • Can it be logged, yes. Is it saved with your current configuration, almost certainly not. You'll have to be more specific as to what kind of data you want to save, and what version of PixOS you're running. You'll probably want to setup external logging to a syslog server (something like KiwiSyslog works really well). But that will not give you convenient and easy to read information. – Chris S Nov 10 '12 at 03:46
  • Yes, I've got external logging setup to a syslog server, but I don't find any sort of traffic (amount) data in the logs. The logs show the real "firewall" activity, such as blocked ip's, too many connections for this or that IP, etc. I guess what I'm looking for is a sort of traffic stats to be logged. (Not "firewall" rule activity, but rather how much traffic was flowing in/out of the firewall at a certain time, and to be able to look that up, later.) Is it possible? (Any more details needed?) Thanks! – j2k4j Nov 10 '12 at 03:53
  • I'm still not sure what you're looking for, but I'm thinking you're looking for something simple and easy to read; which doesn't really exist with what you've got (other than the semi-live stats you're currently looking at). If you're running PixOS 8.2+ you can setup a [NetFlow Collector](http://tinyurl.com/4h6dg7) and [configure the ASA](http://tinyurl.com/ace2soj) for it; depending on your collector [it may have all the analysis and reporting tools you want](http://tinyurl.com/36wr3r). – Chris S Nov 10 '12 at 04:03

1 Answers1

1

There are two basic options for firewall traffic usage monitoring. What I'm guessing you're looking for is Mbps for each interface, ingress/egress, is that correct? If so, you can use standard snmp-based monitoring tools . Consult the Cisco command reference for your version of software, but it's really no different than adding an snmp server to any other Cisco device. You can set this up so that your monitoring server (SolarWinds, Nagios, WhatsUP, etc) polls your ASA periodically for the stats, and add traps for push notifications of urgent issues.

The other route for collection, as Chris referred to, is flow-based. Rather than counting bits in/out on an interface, you can look at flow creation/teardown, protocol & endpoints of the flow. Every time a two-way communication is initiated between to IPs, there's a flow record created for it. It's and inherent part of dynamic firewall process that ASA uses. You can also export this information to an external collector for storage, analysis, graphing, etc. For instance, you could query the data for top 10 users of your ISP pipe during an hour.

sjw
  • 374
  • 1
  • 4
  • 9