How are people monitoring traffic on their PIX? I sometimes find that certain users take up all of our available T1 bandwidth and it's a pain trying to figure out who's doing it, especially in real time. Is this possible somehow, I don't mind third party utilities if necessary. How about limiting the amount of bandwidth that each node can use?
The PDM can display a little graph showing the utilization of the outside interface, but it doesn't allow to drill down to see which internal node is generating the traffic and that's what I'm interested in. I'd like to see which internal IP is communicating with which external IP and how much bandwidth they're taking up.
No, not in real time, not with PIX 4/5/6 (I don't know about PIX 7.)
If you show all the connection statuses and you have smart scripts that delta them and compare the information there to the active connections (that your scripts have simultaneously dug out of the syslog) then you might be able to get some idea of throughput.
PIX 7 if you want any kind of QoS.
PDM is PIX 6, so you don't have any QoS.
There's no convenient way at all to do it with PIX 4/5/6, not even from the command line.
As soon as the connection closes, a log message is generated that shows the total traffic (both directions combined) and the elapsed time, so you can do a bandwidth calculation after the fact.
I used custom scripts, and it took months to write and debug them. There only product on the market at the time I wrote them is no longer made.
-Possibly- solsoft's products are able to do some kind of traffic monitoring. Really though they are aimed at policy management.
Yes, monitoring on the PIX doesn't work very well. I set up a Linux box to capture syslog messages from the PIX. In order to get usage amounts you have to look at teardown messages. These messages are only available when the PIX is at the debugging log level. You can filter out those messages that you don't want.
In my setup I rotate the log file at midnight through a cron job. Then I have a script that parses the log file and then puts the usage data into a formatted file. This includes internal address, source port, (tcp or udp), external address, destination port, size... For this grep, awk and sed are your friends. Once the formatted file is complete I then use mysqlimport to import that data to a mysql database.
I then have a php web page that reads the data from the mysql database and presents usage data. The data presented on this web page includes usage information (by ip address), port usage, ip destinations with the highest volume of traffic...
This setup at best is a "hack" however it works pretty well. Some limitations are that it will not show the url of web traffic (only the ip address). It will not show the logged on user (only the source IP address). It is not real time and will only show yesterday (or previous day's usage). It has helped us track down virus problems through unusual port activity. It has pointed out users that are abusing the system and chewing up bandwidth.
You have to be pretty good with Linux and scripting to make this work. I can help by sending you some of the information (scripts) that I have, but this really isn't industrial strength stuff.
if you have a router between the "inside" interface and the rest of the network, then i suggest you look at using accounting or netflow / IPFIX on that.
this should give you info to the flow level - ie monitor individual TCP connections
the command line on the router will give you enough for a quick and dirty "look" when there are problems.
If you want long term tracking and so on you will need a server to capture the netflow info, handle the data manipulation and do all the "top 10" style presentation and drill down.
this kind of setup can do everything you are talking about and a fair bit more - as long as the traffic goes thru the boxes where you set up netflow......
What model router would I need between the inside interface of the PIX and the rest of the network to do netflow? I have a 1720 and 2524 that I'm not using but those are WAN routers and I need a LAN router.
What's the least expensive LAN router that would work here?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.