[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2761
  • Last Modified:

SSG-5 logging for bandwidth use

I have an SSG-5 c/w 256 MB set up with this policy set up, with web filtering turned on:
***   from "Trust" to "Untrust"  "Any" "Any" "ANY" permit  ***
I have 17 workstations and 2 servers behind the firewall and I am trying to determine which one is using all the bandwidth. Currently running about 15 GB up/down combined per month, which is 50% over our plan of 10 GB/month (wireless connection), and is costing us money.
Would it overload the router to log that policy via syslog, and would I be able to get the info I am looking for from the logs? If anyone one knows of a good syslog daemon / reporting combo where the syslog daemon will run on an NT SP6a server (Kiwi doesn't seem to want to), I would appreciate it! I will run the reporter from my XP workstation.
0
Microfiche
Asked:
Microfiche
  • 5
  • 3
1 Solution
 
rsivanandanCommented:
You can enable syslog but to what level it is going to give you the result is not sure. There is no flow related support on these devices.

But I was thinking about something else.

Since there are only 19 machines you can do this; Enable logging at the policy

Clear the counters first. Then let the traffic flow for a day then issue this;

get log traffic src-ip <machine1>

At the end, it will give you the count of connections. If you do it for 19 machines, you'd be able to get some idea.

Cheers,
Rajesh
0
 
rsivanandanCommented:
So that worked? Can you just update on which machine was having too much of traffic? Virus?

Cheers,
Rajesh
0
 
MicroficheAuthor Commented:
I haven't tried it yet - I just figured I might as well close it due to lack of other responses.
I tried logging a Lotus Notes VIP I have set up, and it does seem to give some traffic statistics.
For instance:
<snip> duration=1 policy_id=3 service=tcp/port:1352 proto=6 src zone=Untrust dst zone=Trust action=Permit sent=646 rcvd=566 src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx src_port=1204 dst_port=1352 src-xlated ip=xxx.xxx.xxx.xxx port=1204 dst-xlated ip=192.168.85.2 port=1352 session_id=4028 reason=Close - TCP FIN <snip>
Couldn't I pull the sent and revd and src IPs from the log and do some calculations?
0
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
rsivanandanCommented:
You could, but it might be a little difficult to analyze it yourself. Go by what I mentioned, that way you'll get to see who is the top talker then based on the role you could estimate if he should be sending that much or not.

Cheers,
Rajesh
0
 
rsivanandanCommented:
Hi, there is another thought (hope you'll be reading it). Now this would be helpful only if you have a juniper login (support contract)

There is a firewall session analyzer tool, which can tell you info on 'top speakers', 'top destinations', 'top source/destination ports' etc.

All you need to give it is the output of 'get session' from the firewall.

Cheers,
Rajesh
0
 
MicroficheAuthor Commented:
Thanks Rajesh - I will try that out!
0
 
MicroficheAuthor Commented:
Just a note - with this policy set up as I initially described -
***   from "Trust" to "Untrust"  "Any" "Any" "ANY" permit  ***
All of a sudden yesterday the router was just locking up with 75%+ CPU usage.
Support suggested adding a new policy on top, filtering only the HTTP traffic which made a huge difference. It would appear that there is a lot of traffic other than HTTP happening over the router.
0
 
rsivanandanCommented:
Hmm. Try out the online FSA or there is as well an application which is free; I just blogged about it, so the pasting it here and it has the link for the application as well.

www.rsivanandan.com

Cheers,
Rajesh
0

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now