Top Policy Violators for Cisco ASA (10020 / 20020)

Description

This Module utilizes Cisco ASA NSEL data and provides a list of firewall policies violators. Top violators are reported by Network Device and by Destination Port over a time interval T. Only TCP/IP and UDP traffic is accounted for. The number of reported top violators (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 600 sec, default = 30 sec
Application protocol (l4_dst_port) list
List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.
e.g. 80, 443
N – number of reported hosts
Top N (number of reported destinations)
min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Enable(1) or disable (0) reporting by destination port
If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)
default = 0

Inputs

Cisco ASA NSEL.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20020”
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
src_ip
Source host IPv4 address
<IPv4_address>
src_ip6
Source host IPv6 address
<IPv6_address>
dest_ip
Destination host IPv4 address
<IPv4_address>
dest_ip6
Destination host IPv6 address
<IPv6_address>
dest_port
Destination port number (e.g. 80 for http)
<number>
denied_count
Denied flows count
<number>
t_int
Observation time interval, msec
<number>
Last modified 1yr ago