Skip to main content
Version: 2.10.0

Top Policy Violators for Cisco ASA (10020 / 20020)

Description​

This Module utilizes Cisco ASA NSEL data and provides a list of firewall policies violators. Top violators are reported by Network Device and by Destination Port over a time interval T. Only TCP/IP and UDP traffic is accounted for. The number of reported top violators (N) and the observation interval (T, sec) are configurable. This information is provided per NetFlow exporter.

Parameters​

Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 10 sec, max = 600 sec, default = 30 sec
Application protocol (l4_dst_port) listList of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.e.g. 80, 443
N – number of reported hostsTop N (number of reported destinations)min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Enable(1) or disable (0) reporting by destination portIf set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)default = 0

Inputs​

Cisco ASA NSEL.

Syslog/JSON Message Fields​

KeyField DescriptionComments
nfc_idMessage type identifier“nfc_id=20020”
exp_ipNetFlow exporter IPv4 address<IPv4_address>
src_ipSource host IPv4 address<IPv4_address>
src_ip6Source host IPv6 address<IPv6_address>
dest_ipDestination host IPv4 address<IPv4_address>
dest_ip6Destination host IPv6 address<IPv6_address>
dest_portDestination port number (e.g. 80 for http)<number>
denied_countDenied flows count<number>
t_intObservation time interval, msec<number>