Top Policy Violators for Cisco ASA (10020 / 20020)
Description
This Module utilizes Cisco ASA NSEL data and provides a list of firewall policies violators. Top violators are reported by Network Device and by Destination Port over a time interval T. Only TCP/IP and UDP traffic is accounted for. The number of reported top violators (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 600 sec, default = 30 sec |
| Application protocol (l4_dst_port) list | List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports. | e.g. 80, 443 |
| N – number of reported hosts | Top N (number of reported destinations) | min = 0, max = 100000, default = 50 (0 indicates all hosts are reported) |
| Enable(1) or disable (0) reporting by destination port | If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0) | default = 0 |
Inputs
Cisco ASA NSEL.
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20020” |
| exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
| src_ip | Source host IPv4 address | <IPv4_address> |
| src_ip6 | Source host IPv6 address | <IPv6_address> |
| dest_ip | Destination host IPv4 address | <IPv4_address> |
| dest_ip6 | Destination host IPv6 address | <IPv6_address> |
| dest_port | Destination port number (e.g. 80 for http) | <number> |
| denied_count | Denied flows count | <number> |
| t_int | Observation time interval, msec | <number> |