Reporting is a bit of a catch-22 at the moment.
If the appliance you are running 8.2.1 on was purchased with v8 installed, then as part of that you were entitled to download an install two additional report-oriented product.
Firewall Profiler is a virtual machine solution, which are entitled to connect up to 5 firewall devices to. It would take a data feed from the Firewall and present it in a graphical format. It wasn't designed as a reporting tool as such because it only ever stored 30 days-worth of Firewall data, so it was more of a trend analysis tool. You could see the firewall alerts represented as "bubbles" and the colour and the size of the bubbles told you what was going on. You could then drill down and find out more (what was causing the problem, where it was originating from and so forth). But there were also some canned reported along the lines of the type of thing you are looking for.
Firewall Reporter is a software-based solution which, in tandem with a syslog, server would retrieve and store logging data for as long as you had disk space to store it. As its name suggests it was designed purely to produce reports.
The problem is that both of these products were effectively 'retired' at the beginning of this year. According to the product lifecycle section of the McAfee site, each product will officially go out of support at the beginning of 2013 - http://www.mcafee.com/us/support/support-eol-software-utilities.aspx#swu_firewal l
Why have McAfee done this? Well, largely because they have bought NitroSecurity at the tail end of last year. - http://www.mcafee.com/us/about/mcafee-nitrosecurity.aspx
The unfortunate aspect of this acquision is, unlike the Profiler and Firewall Reporter offerings, the NitroSecurity solution isn't likely to be offered as part of the Firewall Enterprise bundle. Though, that's for someone at McAfee to confirm for certain, so I'd suggest contacting your local reseller or regional McAfee office.
When I called McAfee they mentioned this Firewall Reporter. But they did also mention it was nearing end of life. Thanks for the heads up. Doesn't sound like there is an easy answer.
Well I am logging to a remote syslog server. I am using XML formatting but the logs are not verbose. It doesn't seem to log traffic information, just more like traffic that gets denied or when the configuration is changed. Anyone know if its possible to tweak the syslog logging to log for all traffic?
Change the Audit level in this rule to Verbose and it should show up.
The options I have are ...
port (using standard 514)
filter (set for no filtering)
format (set to XML)
Max PDU size (set to 1024)
PDU exceed behavior)
I see the option "verbose ASCII" under format, maybe I'll try that. I also see an "AUDIT ALL" under filter.
You should use 'No filter' as the filter.
The 'session end' audits should have this information:
$> acat -e "event AUDIT_R_PROXY_CONN_END"
- for proxies
$> acat -e "event AUDIT_R_SERVER_CONN_END"
- for servers
$> acat -e "event AUDIT_R_NET_IPFCLOSE"
- for packet filters
Look for those.
Check out my last two responses to this question from the forums: https://community.mcafee.com/message/237399
You can also run:
$> cf reports run_report report_name=traffic
$> cf reports run_report report_name=ipftraffic
They will show you a lot of information and in each output is a section "Proxy Traffic Summary by Source Host" and "IP Filter Traffic Summary by Source Host", respectively. That will show you the amount of bytes sent from each IP for the time frame of that audit file.
If you want to know more about the cf reports command run 'man cf_reports'.