Firewall Monitoring


SevOne has the unique capabilities to create thresholds and monitor aspects of firewalls such as: bandwidth, connection setups, VPN users, etc.. Join Dave Hegenbarth, SE Director of Global Strategic Alliances, as he further discusses these topics in this in-depth firewall monitoring demo.


All right, welcome, everyone to this week’s Demo with Dave. This week, we’re talking about Firewall and Internet Monitoring. I’ll pass it over to you, Dave. Take it away.

All right, good morning, good afternoon wherever you may be in the world. Thank you for joining Demo with Dave. If you’ve never joined one of these before, we try to keep this at a very informal demo. I’d ask that if you could keep the background noise down and we’ll move forward with that.

Hopefully, everybody can see my screen that says Demo with Dave. It’d be a good place to start. If you can’t see it, it’ll be a strange and boring conversation I think. With that, I will get started.

I want to set the stage here just a little bit. This is a live demo, but I do have 2 or 3 slides here. One of the things I would like to point out this morning is the SevOne advantage and there’s a lot of different advantages for the SevOne product in terms of the Internet, Firewall, Server, all kinds of different monitoring. That advantage is it's an appliance and it ships, ready to go. That really cuts down on the number of people that you would need to maintain a performance management system and allows you to concentrate on monitoring the performance of your Internet or your devices.

The architecture is key. All of our appliances are both a poller and a reporter and this is very different from a lot of architectures in the marketplace today. All those pollers and reporters do peer together in what we call clusters. Whether you have 1 box or 2 boxes or 3 boxes; you get that same single GUI interface. The nice thing is you could start very small and you can end up very large and it’s very seamless. No loss of data. Very easy to have on capacity. That’s a little bit about the technology.

The other piece of it is what do we do when we’re performance monitoring for a number of different technologies? Not just SNMP and ICMP which is where we started in the old days, but we’ve added in to that debility; these server monitoring via Windows, WMI or a virtual monitoring via the VMware, APIs, and VirtualCenter. We collect flow statistics from NetFlow, J-Flow and we’ll see some of that in today’s demo. We also have the ability to voice monitoring. Lastly, over on the very right of my slide, 3rd Party Monitoring. We do have the ability to bring in data from other performance management systems and other types of statistical data to produce graphs and charts and fun things like that.

The product was built with an Open API, ships with the Open API, and that gives you the ability to programmatically attach to other things; maybe service management or portals or that in fault management. It’s the extended capabilities of SevOne and also to make the management configuration of SevOne easier. You may use the API to attach to a config management center or when you add or provision a particular device, it also gets automatically provisioned in SevOne.

Lastly, what do we best? We generate reports and alerts and tell you what’s going on. We are excited. We announced and have launched a mobile app both for Android and for iOs, so you can use SevOne wherever you go.

Lastly, the seamless marketing plug, but this is really here to show you some of the companies we work with, also the verticals; so across Telecom & MSP, finance and banking, media, and retail. They have all have this needs in common. Those needs are that they need to be able to see the performance of their devices in their network whether servers, from switches to firewalls and things like that. Really, a lot of different people across a lot of different verticals needing performance and statistical information about their environment.

With that, that’s the beginning of Demo with Dave. I am going to cut over as I said to a live demo. The conversation we were talking about today is Internet and Firewall Monitoring. I’m going to start with the dashboard because it’s a good place to begin, and then we can backup to how this dashboard came to be and some of the other navigation tools within the SevOne product.

I’ve built this dashboard to understand the performance of my main firewall. My main firewall only uses through that particular firewall to get to the Internet regardless what site they are, they come through corporate and they hit the corporate Internet and go out. SevOne has the ability to create thresholds and monitor any number of different statistics about a firewall and you’re going to see some of the statistics that I chose to monitor today from bandwidth, connection setup, VPN users, CPU, memory, disk because always, they’re the basics. All of those things can be monitored and threshold, and then we can alert on them.

A composite of the health of my firewall based on the fact that a different threshold is set for different things like connections or VPN. What you can see here, actually, if you read it almost backwards, there’s 73 different object sets, 73 different metrics on monitoring about this particular firewall. Over the period of time, which we have listed out today, we’ll see that with 2 of those objects have had an issue. A little later, I’ll show you a little more about those, but I won’t deviate for this particular dashboard just yet.

What I can see is that none of it’s red, so it’s not critical; but there’s some performance things that I might want to look into and we’ll take a look at that in a second.

Basic monitoring, hey, we probably want to know buying the traffic in terms of percentage headed towards the Internet, right. For Internet pipes full, obviously, the people are going to complain. Some things about this graph, first of all, you’ll notice that I’m monitoring the Internet here at a 10-second interval. On this very, very granular polling of this particular object which is my total bytes. I want to know almost in real time, right, 10 seconds behind. In real time, the performance or bandwidth consumption of the Internet.

Another thing to note about this is we have this big spike happen late in the day here. We have a smaller faded line here that’s blocky and dashed. What that is, is that’s actually our baseline. I’m monitoring my traffic against my baseline or understanding of normal. SevOne provides a baseline for everything we monitor. You can choose to turn it on or turn it on visually; but for everything we monitor whether it’s inbytes, outbytes, CPU memory utilization, whatever it is; we create a rolling 10-week baseline such that we can show you what normal is.

You can see here whatever the spike was at 1:00 am Eastern Time or so; you can see that it’s well above what it normally is for that given time. The other thing I should mention about baselines is they’re in 15-minute granularity. What I mean by that is baseline tracks a particular indicator from Monday at 8:00 to 8:15. 8:15 to 8:30 is a different value that we track over a 10-week basis. It’s also different from Tuesday at 8:00 to 8:15; 8:15 to 30. 15-minute granularity throughout a 7-day week, we monitor normal performance of anything that you put in the system.

I’m looking at bandwidth here and we see we had a spike upto about 47%. We have our normal. This is basically as current as almost right now. Actually, what I will do for you is refresh this dashboard and we’ll see that the time on here changes from 10:51 to 11:12. The other thing to realize is how fast that we've drawn all these graphs that you’ve seen. We have a very fast, easy to use graphing engine.

In the next graph over, I’m actually watching a sustained PCP connections through my firewall. I’ve added a couple more things. I have my actual data. The dash line right through here is our baseline. Then the shaded area is representing what 3 standard deviations off of normal would look like.

One of the reasons we showed this is we also can set alerts based on this and you want to see would I or would I not get an alert if I fill in the blank; have 1 standard deviation, 2 standard deviations, 3 standard deviations on baseline.We’ll see here if I had set a threshold that said whenever my sustained PCP connections or my firewall are more than 3 standard deviations off of normal, I would like an alert. What we see here is that most of the day, so far today, we would be well within through the 3 standard deviations, the high mark being here and the low mark being here.

We’ll see a 1 point looks like right around 2:58 Eastern Standard Time this morning, I had a spike that was well above the 3 standard deviations. Now, maybe I wanted it on a single spike. Maybe I’d rather have my threshold setup and we can do this if I have sustained connections over a sustained period of time, 30 to 45 minutes then and because maybe I wouldn’t want a single spike to alert me in the middle of the night.

Similar, I’m looking at TCP connections per second setup. As the initial traffic passes to the firewall, the time in connection per seconds in getting set up. Not my sustained, I’m streaming a video, but I hide to make a connection to the website, I’d like to make a connection to website B in a per second value.

Again, we’re looking at our baseline and our standard deviations. This is a very useful metric setup connections for understanding when you're under attack. The very first symptom usually of an attack most of the time we'll it is inbound is something’s trying to set up a connection through your firewall. When it’s in attack, it usually happens very rapidly. Often, the number of setup connection request goes up dramatically. In this case, you’d want an alert or threshold set where that happens and it would easily extend beyond the 3-standard deviation limits. We would look to that as maybe one of the first warnings we could get in terms of an attack. We’ll take a look at the real time consult for alerts as well, but just note that that’s a good metric to do that with.

Then I have some basic health things, right. I want to look at my memory utilization. I’m using 26.14% of the memory in the box. You could see along with its baseline, that doesn’t really change. It’s configured our firewall and irregardless of the traffic going through, or even the increase of traffic; our memory retention is solid.

I’ve also included here a hard graph of the 6 CPUs that happen to be in this box. Now, the box we’re looking at has a rather large firewall. This is a Cisco ASA 58580. He has 6 cores in there. We’re looking at its performance and you can see even at their peak, this morning probably were lined up right with this burst in traffic, also lined up with the burst in volume. Connections and volume, we’ll see just a little bit at CPU uptick, but that’s under 1.85%. We’ve got a lot of room to grow in this firewall over time.

Next thing I did was I wanted to take a look at my VPN usage. Who are my users that were setting up and using the most VPN traffic? What we can see is in this case of the 5580, by session by employee the volume of traffic that they’re using. You could see I’ve been a little VPN this morning into the network. I’ve some others there. I’m just stack write them by the traffic. I can change as you saw before I refreshed this graph, I can also change time frames. I could say, how about the last week here? What does that look like? We could see our top talker for the last week changes over the last day. We can see the days that there are a lot of VPN as well. You have the ability to work with these graphs inside the dashboard.

A couple of other things I added. Probably should’ve put these on top of this. These are the people doing the VPNing. This is simply the sessions VPN count and we have really 2 ways in this particular firewall to get in. We have a SSL VPN users and we actually have non-SSLs so those traditional IPsec tunnels through this firewall. You’ll see that the SSL VPN graph I hear has license utilization, so we have x number of capacity or licenses on there. I’m tracking the number of people in terms of licenses against the total license count. You could see here we peaked out at about 38% of our license pool.

Another good thing to do with this is maybe I change it over the last 4 weeks, right. I want to see if over the past month, how close if I come to consuming all my licenses. We can see here at 55.8, I've peaked over the last month to having half of my license count so I’m probably good there for a time or a little bit further.

The other thing to do with that one that’s rather unique is we have been ability to bring NetFlow data and our SNMP data all in the same web page. The next couple of graphs I have are actually generated from flows coming from the ASA firewall. The first one is simply a protocol breakdown. In terms of the pie chart; 95% of my traffic was TCP, 2% of my traffic was UDP, and after that it gets really small and do ICMP. I also have it broken up by the 2 interfaces on the firewall, so I have some very small amount of protocol from one of the other interfaces as ICMP.

Just to breakdown the traffic, a little more about the composition. Remember, at the very top of this graph, we have the volume of the traffic. Down here, we’re breaking that out into who’s doing what. That was the protocol breakdown, we can move into the application breakdown, right. Which applications by a low port are chewing up my bandwidth? We can see here that we have HTTP and HTTPS as our top 2 talkers.

The gray in this particular pie chart represents all the traffic not accounted for in what I specified as my top 10. I really want to see my top 10, but this indicates that I am missing out of this top 10 22% of my traffic. We could also see that down here. We have a total traffic. Then we have remaining traffic which is just 22% percent for a total traffic of 96.96 gigabits I’ve done since 0100 hours today Eastern Standard Time.

Who’s chewing it up? That’s always the fun part too so I can look and see who’s using this particular set. Now, sometimes, you’re going to see if you’re taking your flows from the outside firewall, a lot of times what you’re going to see is your pool address as either the source or the destination. People come through the firewall. They get added to public address that you’re using and then passed on. If you take your flows from a router or a firewall and you take them from the outside interface, they’re obviously going to only understand the translated address. A lot of times, what you’ll see is just the pool address on the outside.

In this case we’re seeing both inside and outside interfaces so we can see who else is consuming our traffic over the time period. Again, this becomes real time, so if we go and refresh this guy, we’ll see 1112 and we can refresh this graph, and what we’re going to see is that that’s going to become 1121 now. We’re seeing this in real time. We can always set these graphs to auto-update as well. I could say every x number of seconds, I want to see my flow data and we can go back and we get that.

Lastly, what I did was I took a flow from our core router which is what my firewall is connected to. I had the Internet connected to a firewall. I have my firewall rules and all the fun stuff that goes on in the firewall. Then I have that connected to my core switch. The reason I did this was because the flows that we were looking at up here were flows that come from the ASA firewall.

The ASA does not produce true NetFlow v5 or v9. It’s a high bred. It’s also meant to carry security messages and some other things whereas my core firewall is running v9. I get much more granular statistics from my core router. Now, I could do this just as easily if I had an edge router that terminated the Internet and then the firewall, I could take flow from that edge router as well. In v9, we get some more fields so we get our next hop to see which direction we’re going in this case for coming in. We get protocol which we had up there before. We do get application port. We also get if there’s any case to use it some DSCP markings. The Cisco iOs devices provide a bit more detail flow than the ASA.

Now, another feature of SevOne is to then bring these reports into PDFs. I have a PDF here. This could be useful for mailing it off to someone who doesn’t have access to the SevOne solution or it can be good if you can actually schedule these dashboards, so maybe every day or every night, I get my firewall report to see how that day’s performance has been.

The other things we could do, I can actually edit any one of these graphs. Thinking about it now is I probably should’ve done it earlier, but we can actually edit and get some trend information. One of the things we did was we said we want to see our bandwidth or our connections today. We changed the time frame to say I want to see it over the past 7 days and so, we did that and re-graphed to the past 7 days so I can see how the static, wondering where that’s trending.

I have the ability to edit these guys very easily either inside the dashboard or out of them creating them and use the interface to say, “Where am I going?" What I can do is I can say, “You know what? I want to project a trend and I want to project it out the next 30 days.” How many connections per second do I really think I’m going to be at? I’m going to turn these off, makes the graph a little cleaner and we’ll rerun.

Here’s my data set. Then here’s a linear projection now across the next 30 days. We can see we’re at about 1.59K right now per second. We’re going to be headed almost downward to 1.23 per second. It’s just a slight trend down. The good news is I don’t have to run out and buy another firewall or whatever. I’m trending in the right direction. This could easily have gone the opposite way and trend it up, but fortunately, we’re trending down.

I did mention violating thresholds would result in some alerting and some different ways to look at that. Actually going to come into this particular interface here. We can see that I have my ASA firewall. It has been yellow most of the time. What I do, I’m going to refresh this and show you guys how I got here as well. In this case, I’m interested in looking at a device. In this case, my device is my ASA firewall.

I’ll run this report. What we can see is I’ve had a lot of orange and yellow. You can see a timeline of how this week has gone. I have a little moniker up here that says 13 hours, 8 minutes, and 35 seconds. That represents each of these blocks. Then what I can do is I can even break into the firewall and I can see which metrics actually were causing this to have an issue. We see we have an orange bar right here. If we look down through here, we’ll find that there is my orange bar, some outside interface had a little bit of an issue. Then I can click on it and actually go to the alert archives, and I could say, “I hit 75.13 which was greater than 75% over a 15-minute period. I had one very small spike that actually resulted in this alert tripping.

Then from here, we could even look at that as it was in a graph. I can click on this and get an object summary. Actually, I’d have to go back to this week, day to get that. Let me grab that. I do a 1 week for this object summary. We should be able to see a spike at some point that triggered that result. Actually, these are specified in traffic volume so we may not see that exactly, but somewhere in here we had 75% of our bandwidth. We could see it currently if we go all the way back to where we were in alert summary. You could see that we had a number of different alerts and we can see when they happened over a period of time.

I think we’re heading up towards the end of our time. I want to open it up to questions. I don’t know, Kelly, is our lines muted or are we open?

Every line is open.

Excellent. From there, guys, are there any questions for the last 3, 4 minutes we have? Comments?>

Hey, Dave. Dan here. I was just wondering about the multi-vendor support for the dashboard. Then you used the ASAs. I like the stuff with the VPN, but what about checkpoint? You do the same thing for checkpoint?

Sure. Great question, Dan. The metrics, if they’re available through SNMP definition or one of the other ways we pull data in absolutely. You can combine multiple firewalls. You can actually even something I should’ve probably showed was you can actually even add objects together so I can have the outside interface to my ASA, plus the outside interface to my checkpoint on a different link, plus the outside interface to my Juniper router and get a third link. I could actually add those up and say, “For this day, week, month; this is my total Internet usage from my 3 Points of Presence to the Internet.”

That’s a great question. There is multi-vendor support. There also is the ability to bring those together in a dashboard, and even combine metrics to add up, one metric that says this is my total bandwidth consumption. Great question.

Thanks, Dave. I had one follow up to that. Is this dashboard, obviously, you guys put some time into it because it really looks pretty good. Do you can this? Is this available to customers as like they canned things? If you’re a current maintenance customer, do you guys add that out like with you’re getting other products where they have canned reports or dashboard views?

There are some canned reports. They typically ship with a new system. Those reports generally drive off a TopN which gets chained, so we have the ability to take the output of one report and put it into the end, put it to the next. As far as regular maintenance customers, once you have a full deployment, it’s hard to go back and push that in if you will. There are some ways to ease that burden by as I said chaining from something like a TopN and moving down from there.

Thanks, Dave.

Sure. Other questions? All right, guys; thank you very, very much for joining me today with Demo with Dave. I am Dave Hegenbarth. You can reach me at If you have any questions you think of after this, you could send me an email.