Cisco Cisco Firepower Management Center 4000
16-4
FireSIGHT System User Guide
Chapter 16 Working with Connection & Security Intelligence Data
Understanding Connection Data
Each connection summary includes total traffic statistics, as well as the number of connections in the
summary. Because NetFlow-enabled devices generate unidirectional connections, a summary’s
connection count is incremented by two for every connection based on NetFlow data.
summary. Because NetFlow-enabled devices generate unidirectional connections, a summary’s
connection count is incremented by two for every connection based on NetFlow data.
Note that connection summaries do not contain all of the information associated with the summaries’
aggregated connections. For example, because client information is not used to aggregate connections
into connection summaries, summaries do not contain client information.
aggregated connections. For example, because client information is not used to aggregate connections
into connection summaries, summaries do not contain client information.
For more information, see the following sections:
•
•
•
Long-Running Connections
License:
Any
If a monitored session spans two or more five-minute intervals over which connection data is aggregated,
the connection is considered a long-running connection. When calculating the number of connections in
a connection summary, the system increments the count only for the five-minute interval in which a
long-running connection was initiated.
the connection is considered a long-running connection. When calculating the number of connections in
a connection summary, the system increments the count only for the five-minute interval in which a
long-running connection was initiated.
Also, when calculating the number of packets and bytes transmitted by the initiator and responder in a
long-running connection, the system does not report the number of packets and bytes that were actually
transmitted during each five-minute interval. Instead, the system assumes a constant rate of transmission
and calculates estimated figures based on the total number of packets and bytes transmitted, the length
of the connection, and what portion of the connection occurred during each five-minute interval.
long-running connection, the system does not report the number of packets and bytes that were actually
transmitted during each five-minute interval. Instead, the system assumes a constant rate of transmission
and calculates estimated figures based on the total number of packets and bytes transmitted, the length
of the connection, and what portion of the connection occurred during each five-minute interval.
Combined Connection Summaries from External Responders
License:
Any
To reduce the space required to store connection data and speed up the rendering of connection graphs,
the system combines connection summaries when:
the system combines connection summaries when:
•
one of the hosts involved in the connection is not on your monitored network
•
other than the IP address of the external host, the connections in the summaries meet the aggregation
criteria listed in
criteria listed in
: protocol, application protocol,
detecting device, and so on
When viewing connection summaries in the event viewer and when working with connection graphs, the
system displays
system displays
external
instead of an IP address for the non-monitored hosts.
As a consequence of this aggregation, if you attempt to drill down to the table view of connection data
(that is, access data on individual connections) from a connection summary or graph that involves an
external responder, the table view contains no information.
(that is, access data on individual connections) from a connection summary or graph that involves an
external responder, the table view contains no information.
Connection and Security Intelligence Data Fields
License:
feature dependent
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500