7 Replies Latest reply on Jul 10, 2012 4:29 PM by sliedl

    Bandwidth usage per host

      Is there a fairly straight forward way to figure out by using the McAfee Enterprise Firewall which internal IPs are using the most bandwidth? It doesn'thave to be real time but I would like to figure out how to find out which hosts are using the most bandwidth say in the last hour / day / week etc. I am guessing some type of reporting will have to be turned on and logged, then those logs would need to be analyzed. I know the firewall will tell me which applications are being used the most and give me figures but that is too general. I need to know which specific hosts have transferred the most data. I am running 8.2.1. If someone could point me in the right direction I'd appreciate any help.

       

      Thanks

        • 1. Re: Bandwidth usage per host
          PhilM

          Reporting is a bit of a catch-22 at the moment.

           

          If the appliance you are running 8.2.1 on was purchased with v8 installed, then as part of that you were entitled to download an install two additional report-oriented product.

           

          Firewall Profiler is a virtual machine solution, which are entitled to connect up to 5 firewall devices to. It would take a data feed from the Firewall and present it in a graphical format. It wasn't designed as a reporting tool as such because it only ever stored 30 days-worth of Firewall data, so it was more of a trend analysis tool. You could see the firewall alerts represented as "bubbles" and the colour and the size of the bubbles told you what was going on. You could then drill down and find out more (what was causing the problem, where it was originating from and so forth). But there were also some canned reported along the lines of the type of thing you are looking for.

           

          Firewall Reporter is a software-based solution which, in tandem with a syslog, server would retrieve and store logging data for as long as you had disk space to store it. As its name suggests it was designed purely to produce reports.

           

          The problem is that both of these products were effectively 'retired' at the beginning of this year. According to the product lifecycle section of the McAfee site, each product will officially go out of support at the beginning of 2013 - http://www.mcafee.com/us/support/support-eol-software-utilities.aspx#swu_firewal l

           

          Why have McAfee done this? Well, largely because they have bought NitroSecurity at the tail end of last year. - http://www.mcafee.com/us/about/mcafee-nitrosecurity.aspx

           

          The unfortunate aspect of this acquision is, unlike the Profiler and Firewall Reporter offerings, the NitroSecurity solution isn't likely to be offered as part of the Firewall Enterprise bundle. Though, that's for someone at McAfee to confirm for certain, so I'd suggest contacting your local reseller or regional McAfee office.

           

          -Phil.

           

          on 05/07/12 13:37:43 IST
          • 2. Re: Bandwidth usage per host

            When I called McAfee they mentioned this Firewall Reporter. But they did also mention it was nearing end of life. Thanks for the heads up. Doesn't sound like there is an easy answer.

            • 3. Re: Bandwidth usage per host

              Well I am logging to a remote syslog server. I am using XML formatting but the logs are not verbose. It doesn't seem to log traffic information, just more like traffic that gets denied or when the configuration is changed. Anyone know if its possible to tweak the syslog logging to log for all traffic?

              • 4. Re: Bandwidth usage per host
                sliedl

                Change the Audit level in this rule to Verbose and it should show up.

                • 5. Re: Bandwidth usage per host

                  The options I have are ...

                  port (using standard 514)

                  filter (set for no filtering)

                  format (set to XML)

                  Max PDU size (set to 1024)

                  PDU exceed behavior)

                   

                  I see the option "verbose ASCII" under format, maybe I'll try that. I also see an "AUDIT ALL" under filter.

                  • 6. Re: Bandwidth usage per host
                    sliedl

                    You should use 'No filter' as the filter.

                     

                    The 'session end' audits should have this information:

                    $> acat -e "event AUDIT_R_PROXY_CONN_END"

                    - for proxies

                    $> acat -e "event AUDIT_R_SERVER_CONN_END"

                    - for servers

                    $> acat -e "event AUDIT_R_NET_IPFCLOSE"

                    - for packet filters

                     

                    Look for those.

                    • 7. Re: Bandwidth usage per host
                      sliedl

                      Check out my last two responses to this question from the forums:  https://community.mcafee.com/message/237399

                       

                      You can also run:

                      $> cf reports run_report report_name=traffic

                      or

                      $> cf reports run_report report_name=ipftraffic

                       

                      They will show you a lot of information and in each output is a section "Proxy Traffic Summary by Source Host" and "IP Filter Traffic Summary by Source Host", respectively.  That will show you the amount of bytes sent from each IP for the time frame of that audit file.

                       

                      If you want to know more about the cf reports command run 'man cf_reports'.