Just wondering what suggestions people have in relation to monitoring traffic on their ASA, generally we have no need to but we have had instances where we've wanted to find out what server/pc is hogging bandwidth.

I've had a look around and found NTOP which utilises NetFlow (not used before) but this isn't realtime from what I can gather. More often than not we'd want to find out what's going on realtime/now, not what happened 5 mins ago.

Any thoughts?

"Real-time" is going to be hard to come by. NetFlow and SNMP are my tools of choice. Keep in mind though you can adjust the poling intervails to sub-minute rates (on some tools) but you are going to start chewing up a ton of firewall and server resources. Some tools out there will freak out and not be able to handle this. Your ASA might not like it either.

just like debug, you will get a ton of information but at a high cost.

_________________
http://blog.movingonesandzeros.net/

Did something like that a few years ago with RRD and own written Perl/PHP Scripts as an on Demand Service.
We got a php Front end which let you choose which device and link to monitor and at which interval. The PHP Scripts did create the RRD Database and started the Perl Script which worked in deamon mode and just queried the SNMP Mibs within every intervall and put it into the RRD Database.

After we did not need it any more the stuff was deleted so the server and device did not have issues with resources over a long time period. The only thing I saw so far which was able to create near real time monitoring without a sky high price.

_________________
http://ccie20728.wordpress.com/

Yeah I've read about the load it can have on CPU, etc. It's a shame you can't just select the Outside interface and breakdown the data/source in realtime via ASDM. Half the problem is first identifying the best place to monitor the data.

NetFlow is the best but, yes, NetFlow export from Cisco ASA is not real-time. ASA NetFlow known as NSEL (NetFlow Secure Event Logging) is based on events triggered on the ASA.

Enabling NetFlow is not going to bug your firewall. I have had many customers use NetFlow from Cisco ASA with the NetFlow monitoring product Iam a part of. I never came across an issue of CPU or memory shoot ups on the ASA due to enabling NetFlow. So, its safe. And since its the ASA, get a free version of some NetFlow software. My product's free edition can monitor 2 interfaces with all features including data storage. The product is ManageEngine NetFlow Analyzer.

Regards,
Don Thomas

the only way you are going to get "realtime" is to put in a tap or SPAN off a switch and use NTOP as the traffic flows, not as a netflow probe....

and still that has to refresh the webpage to show you "top talkers" just like if you were using a more pricey Netscout with nGenius frontend...

or tap with wireshark (tshark) or cace pilot server...

netflow, ipfix, sflow is always going to have tax the router/switch/firewall under question and have to collect and dump to the collecting station...

_________________
"With sufficient thrust, pigs fly just fine..." - RFC 1925

_________________
"With sufficient thrust, pigs fly just fine..." - RFC 1925

Thank you very much for sharing that information, I also want to monitor real time traffic as well.

you can setup a "Cacti" along with Realtime plugin.

_________________
"Nothing Is Limited, Except Our Understanding To The Universe"

Remember that at any given moment, a link is either 100% utilized, or 0% utilized, since it's a digital signal.

Anybody using SNMP to monitor their ASA and are there any security implications to think about?

all depends on what version of SNMP you are talking about.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

How about using a proxy server? There is some pretty good software out there that will allow you to see real time traffic, routing through the proxy.

I would also like to know the answer to this. Does anyone know if there is a tool like torch on RouterBoard? http://i294.photobucket.com/albums/mm90 ... torch2.jpg

Thanks for all the info above as well!