Juniper firewall monitoring software
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Juniper firewall monitoring software
by Scott Vieth
::
Rate this Message:
Hi:
At my place of employment, the Webtrends Firewall Suite was used to monitor a different brand (non-Juniper) of firewalls. I recently installed some Juniper firewalls and wanted to use Webtrends Firewall Suite to monitor the new Juniper firewalls. I found that the Firewall Suite is no longer own by Webtrends but is now owned by a company called Marshal. I also found that Marshal isn't putting a lot of effort into updating the Firewall Suite and is migrating Firewall Suite users to their "Marshal Security Reporting Center". What options are available for monitoring Juniper firewalls? I am looking for information like top protocols that passed through the firewall (www, ftp, smtp, etc) ranked by MB consumed. I am also looking for top web surfers on the internal network or top ftp users on the internal network. Can the Juniper NSM appliance provide reporting like this? I have asked a local VAR to arrange an NSM demo appliance at my site but the VAR hasn't brought me the demo appliance yet. Is there other software on the market that will accept the logging output from the Juniper firewalls in "Webtrends format" for reporting purposes? I am currently monitoring memory utilization, CPU utilization, sessions and Mb/sec throughput for each interface on the Juniper firewall interfaces using Cacti. That works quite well for "what is the firewall doing right now?" monitoring. Thank you in advance. -Scott Vieth _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Juniper firewall monitoring software
by Greg Conroy
::
Rate this Message:
What you are looking for is Flow information on your network, and the
firewalls do not provide any type of flow information. Depending on what type of network hardware you have you could gather the information from the existing Network gear using netflow (Cisco), or jflow (Juniper), or sflow (open source used by Foundry, HP, and others). If your network does not support flow technology you can put a probe that does support a flow based technology, the probe needs to be inline or have a mirrored port of all traffic. You need to send the flows to a collector to do the things you want. In our Network we use SFLOW information via Foundry switches and routers and INMON Traffic Sentinel to display the traffic information (INMON traffic server will use Netflow information as well). There are other open source collectors out there as well, NTOP is a popular open source product for network flow analysis. Greg Scott Vieth wrote: > Hi: > > At my place of employment, the Webtrends Firewall Suite was used to > monitor a different brand (non-Juniper) of firewalls. I recently > installed some Juniper firewalls and wanted to use Webtrends Firewall > Suite to monitor the new Juniper firewalls. I found that the Firewall > Suite is no longer own by Webtrends but is now owned by a company > called Marshal. I also found that Marshal isn't putting a lot of > effort into updating the Firewall Suite and is migrating Firewall > Suite users to their "Marshal Security Reporting Center". > > What options are available for monitoring Juniper firewalls? I am > looking for information like top protocols that passed through the > firewall (www, ftp, smtp, etc) ranked by MB consumed. I am also > looking for top web surfers on the internal network or top ftp users > on the internal network. > > Can the Juniper NSM appliance provide reporting like this? I have > asked a local VAR to arrange an NSM demo appliance at my site but the > VAR hasn't brought me the demo appliance yet. > > Is there other software on the market that will accept the logging > output from the Juniper firewalls in "Webtrends format" for reporting > purposes? > > I am currently monitoring memory utilization, CPU utilization, > sessions and Mb/sec throughput for each interface on the Juniper > firewall interfaces using Cacti. That works quite well for "what is > the firewall doing right now?" monitoring. > > Thank you in advance. > > -Scott Vieth > ------------------------------------------------------------------------ > > _______________________________________________ > nn mailing list > nn@... > http://www.compsoc.com/cgi-bin/mailman/listinfo/nn > _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Juniper firewall monitoring software
by Scott Vieth
::
Rate this Message:
Hi Greg:
Thank you for the quick reply. I'm not looking for real-time reporting on firewall traffic using flows. I am looking for a reporting tool that will analyze the WELF messages coming from the Juniper firewall like this: WTsyslog[2008-05-17 00:00:59 ip=nnn.nnn.nnn.nnn pri=5] id=firewall time="2008-05-17 00:00:56" fw="fw1" pri=5 rule=66 proto=https src=yyy.yyy.yyy.yyy dst=xxx.xxx.xxx.xxx sent=3375 rcvd=14580 duration=1 msg="Action:Permit" The reporting doesn't need to be up-to-the-second. But could be something that is run on-demand (analyze the last 60 minutes worth of logs) or something that is run daily to analyze the logs for the previous 24 hours. Thanks, -Scott On Sat, May 17, 2008 at 11:25 AM, Greg Conroy <gconroy@...> wrote: What you are looking for is Flow information on your network, and the firewalls do not provide any type of flow information. Depending on what type of network hardware you have you could gather the information from the existing Network gear using netflow (Cisco), or jflow (Juniper), or sflow (open source used by Foundry, HP, and others). If your network does not support flow technology you can put a probe that does support a flow based technology, the probe needs to be inline or have a mirrored port of all traffic. You need to send the flows to a collector to do the things you want. In our Network we use SFLOW information via Foundry switches and routers and INMON Traffic Sentinel to display the traffic information (INMON traffic server will use Netflow information as well). There are other open source collectors out there as well, NTOP is a popular open source product for network flow analysis. _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Juniper firewall monitoring software
by Greg Conroy
::
Rate this Message:
The problem with using the syslog for traffic is the traffic is only
logged when the session is closed. The other issue is logging all traffic is CPU intensive on the firewall depending on the amount of traffic passing through the firewall. Having said that it, would appear that the Stoneylake Firewall Reporter does what you want and you can research the product at www.stonylakesolutions.com. Greg Scott Vieth wrote: > Hi Greg: > > Thank you for the quick reply. I'm not looking for real-time > reporting on firewall traffic using flows. I am looking for a > reporting tool that will analyze the WELF messages coming from the > Juniper firewall like this: > > WTsyslog[2008-05-17 00:00:59 ip=nnn.nnn.nnn.nnn pri=5] id=firewall > time="2008-05-17 00:00:56" fw="fw1" pri=5 rule=66 proto=https > src=yyy.yyy.yyy.yyy dst=xxx.xxx.xxx.xxx sent=3375 rcvd=14580 > duration=1 msg="Action:Permit" > > The reporting doesn't need to be up-to-the-second. But could be > something that is run on-demand (analyze the last 60 minutes worth of > logs) or something that is run daily to analyze the logs for the > previous 24 hours. > > Thanks, > -Scott > > On Sat, May 17, 2008 at 11:25 AM, Greg Conroy <gconroy@... > <mailto:gconroy@...>> wrote: > > What you are looking for is Flow information on your network, and > the firewalls do not provide any type of flow information. > Depending on what type of network hardware you have you could > gather the information from the existing Network gear using > netflow (Cisco), or jflow (Juniper), or sflow (open source used by > Foundry, HP, and others). If your network does not support flow > technology you can put a probe that does support a flow based > technology, the probe needs to be inline or have a mirrored port > of all traffic. You need to send the flows to a collector to do > the things you want. In our Network we use SFLOW information via > Foundry switches and routers and INMON Traffic Sentinel to display > the traffic information (INMON traffic server will use Netflow > information as well). There are other open source collectors out > there as well, NTOP is a popular open source product for network > flow analysis. > > > Greg > > > Scott Vieth wrote: > > Hi: > > At my place of employment, the Webtrends Firewall Suite was > used to monitor a different brand (non-Juniper) of firewalls. > I recently installed some Juniper firewalls and wanted to use > Webtrends Firewall Suite to monitor the new Juniper firewalls. > I found that the Firewall Suite is no longer own by Webtrends > but is now owned by a company called Marshal. I also found > that Marshal isn't putting a lot of effort into updating the > Firewall Suite and is migrating Firewall Suite users to their > "Marshal Security Reporting Center". > > What options are available for monitoring Juniper firewalls? > I am looking for information like top protocols that passed > through the firewall (www, ftp, smtp, etc) ranked by MB > consumed. I am also looking for top web surfers on the > internal network or top ftp users on the internal network. > > Can the Juniper NSM appliance provide reporting like this? I > have asked a local VAR to arrange an NSM demo appliance at my > site but the VAR hasn't brought me the demo appliance yet. > > Is there other software on the market that will accept the > logging output from the Juniper firewalls in "Webtrends > format" for reporting purposes? > > I am currently monitoring memory utilization, CPU utilization, > sessions and Mb/sec throughput for each interface on the > Juniper firewall interfaces using Cacti. That works quite well > for "what is the firewall doing right now?" monitoring. > > Thank you in advance. > > -Scott Vieth > ------------------------------------------------------------------------ > > _______________________________________________ > nn mailing list > nn@... <mailto:nn@...> > http://www.compsoc.com/cgi-bin/mailman/listinfo/nn > > > > _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Juniper firewall monitoring software
by prolixium
::
Rate this Message:
On Sat, May 17, 2008 at 02:42:53PM -0400, Greg Conroy wrote:
> The problem with using the syslog for traffic is the traffic is only > logged when the session is closed. The other issue is logging all > traffic is CPU intensive on the firewall depending on the amount of > traffic passing through the firewall. I don't remember in what version it was introduced, but ScreenOS does support logging on session initialization as well as session close: e-> set pol id 22 e(policy:22)-> set log ? <return> alert syslog alert session-init log at session init time e(policy:22)-> I haven't personally seen any CPU utilization issues when sending traffic logs to syslog, even on firewalls that have session rampup rates of ~50k/min (NetScreen 5200 M2/8G2). However, YMMV. - Mark -- Mark Kamichoff prox@... http://prolixium.com/ Rensselaer Polytechnic Institute, Class of 2004 _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Juniper firewall monitoring software
by Greg Conroy
::
Rate this Message:
The added that in 5.1 I think, it is in 5.4 on all devices that support
5.4. I am sure on a 5200 you would not see any CPU issues logging. I can tell you on Netscreen 5XT's and 5GT's it will run the CPU up if you are logging all traffic, when traffic is 50mb to 70mbs (depending on PPS). The Netscreen 25/50 are affected as well, you can drop CPU 20% by turning off logging at high traffic times. The new SSG-5's and SSG140's do not seem to be affected by logging. Greg Mark Kamichoff wrote: > On Sat, May 17, 2008 at 02:42:53PM -0400, Greg Conroy wrote: > >> The problem with using the syslog for traffic is the traffic is only >> logged when the session is closed. The other issue is logging all >> traffic is CPU intensive on the firewall depending on the amount of >> traffic passing through the firewall. >> > > I don't remember in what version it was introduced, but ScreenOS does > support logging on session initialization as well as session close: > > e-> set pol id 22 > e(policy:22)-> set log ? > <return> > alert syslog alert > session-init log at session init time > e(policy:22)-> > > I haven't personally seen any CPU utilization issues when sending > traffic logs to syslog, even on firewalls that have session rampup rates > of ~50k/min (NetScreen 5200 M2/8G2). However, YMMV. > > - Mark > > _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
signature.asc (196 bytes) 
| Free Forum Powered by Nabble | Forum Help |