SSG-5 logging for bandwidth use

I have an SSG-5 c/w 256 MB set up with this policy set up, with web filtering turned on:
***   from "Trust" to "Untrust"  "Any" "Any" "ANY" permit  ***
I have 17 workstations and 2 servers behind the firewall and I am trying to determine which one is using all the bandwidth. Currently running about 15 GB up/down combined per month, which is 50% over our plan of 10 GB/month (wireless connection), and is costing us money.
Would it overload the router to log that policy via syslog, and would I be able to get the info I am looking for from the logs? If anyone one knows of a good syslog daemon / reporting combo where the syslog daemon will run on an NT SP6a server (Kiwi doesn't seem to want to), I would appreciate it! I will run the reporter from my XP workstation.
MicroficheAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
You can enable syslog but to what level it is going to give you the result is not sure. There is no flow related support on these devices.

But I was thinking about something else.

Since there are only 19 machines you can do this; Enable logging at the policy

Clear the counters first. Then let the traffic flow for a day then issue this;

get log traffic src-ip <machine1>

At the end, it will give you the count of connections. If you do it for 19 machines, you'd be able to get some idea.

Cheers,
Rajesh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rsivanandanCommented:
So that worked? Can you just update on which machine was having too much of traffic? Virus?

Cheers,
Rajesh
0
MicroficheAuthor Commented:
I haven't tried it yet - I just figured I might as well close it due to lack of other responses.
I tried logging a Lotus Notes VIP I have set up, and it does seem to give some traffic statistics.
For instance:
<snip> duration=1 policy_id=3 service=tcp/port:1352 proto=6 src zone=Untrust dst zone=Trust action=Permit sent=646 rcvd=566 src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx src_port=1204 dst_port=1352 src-xlated ip=xxx.xxx.xxx.xxx port=1204 dst-xlated ip=192.168.85.2 port=1352 session_id=4028 reason=Close - TCP FIN <snip>
Couldn't I pull the sent and revd and src IPs from the log and do some calculations?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

rsivanandanCommented:
You could, but it might be a little difficult to analyze it yourself. Go by what I mentioned, that way you'll get to see who is the top talker then based on the role you could estimate if he should be sending that much or not.

Cheers,
Rajesh
0
rsivanandanCommented:
Hi, there is another thought (hope you'll be reading it). Now this would be helpful only if you have a juniper login (support contract)

There is a firewall session analyzer tool, which can tell you info on 'top speakers', 'top destinations', 'top source/destination ports' etc.

All you need to give it is the output of 'get session' from the firewall.

Cheers,
Rajesh
0
MicroficheAuthor Commented:
Thanks Rajesh - I will try that out!
0
MicroficheAuthor Commented:
Just a note - with this policy set up as I initially described -
***   from "Trust" to "Untrust"  "Any" "Any" "ANY" permit  ***
All of a sudden yesterday the router was just locking up with 75%+ CPU usage.
Support suggested adding a new policy on top, filtering only the HTTP traffic which made a huge difference. It would appear that there is a lot of traffic other than HTTP happening over the router.
0
rsivanandanCommented:
Hmm. Try out the online FSA or there is as well an application which is free; I just blogged about it, so the pasting it here and it has the link for the application as well.

www.rsivanandan.com

Cheers,
Rajesh
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.