Firewall Traffic Flow Analysis

Firewall traffic flow analysis (TFA) enables you to view detailed data on broad, permissive rules inside of a firewall policy. Security Manager provides hit counts on the “Any” object or large networks, identifying the specific IP addresses of the source and destination objects, and the service name, protocols and ports. You can also view flow on the entire rule, for visibility into traffic patterns through a generic rule.

You can do the following with TFA:

  • Reduce or eliminate the use of the 'Any' object by using more targeted objects such as networks and hosts split up large or complicated rules into smaller rules that are easier to maintain and that perform better reorganize rules to drop traffic higher in the rule base
  • Because of the large amount of data possible inside of each rule, this information is not automatically collected.
  • You must specifically enable TFA for those rules for which you want the detailed traffic data. Then you can run the report on the source, destination or service columns in which the object appears, or for the rule that includes the 'Any' object.
  • TFA is available for devices with normalized configurations.
  • Make sure that you have turned on logging for these devices. In most cases, logging is configured when devices are added to Security Manager. Please see the Administrator User's Guide for logging configuration in the device setup instructions.
  • For MSSPs: Analysis can only be captured at the enterprise domain level, and you can only create a TFA profile in Enterprise.

Terms

Flow Profile—a set of common tuples (source, destination, service and application). All the traffic monitored can be broken into flows that can be used to create more refined rules in a policy.

Traffic Flow Analysis Widgets

The following widgets appear on the Traffic Flow Analysis Overview.

  • Flow Profile Status—a bar graph that displays the number of active and inactive traffic flow profiles.
  • Disk Space Usage for Flow Profile Data Files—a bar graph that displays the total disk space usage of both active and inactive traffic flow profiles.
  • Flow Profiles With Largest Data Files (Top 5)—a table that ranks flow profiles by the largest data file. Has an menu of actions that can be performed from the widget.
  • Oldest Inactive Data Flows (Top 5)—a table that ranks data flows by. Has an menu of actions that can be performed from the widget.