Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-25-2016 04:56 AM
Hello,
I am trying to identify those long live sessions on my firewall, I mean those session(s) that never ended for weeks at a time.
This is what I found out so far.
1. I can't export the whole session log to perform offline analysis,
2, I did not find anything related to session start time as filter under show session all filter.
3. ACC will only record when a session is closed, I don't believe ACC will show that session data (session #, packets used, bytes used) until the session is ended.
Any suggestion?
Thanks in advanced,
E
06-25-2016 08:25 AM
I think session table shows up to 1024 sessions at once.
If you don't have too many sessions then you could export from cli.
show session all start-at 1
show session all start-at 1025
etc
By the way ACC data comes directly from dataplane and it does not matter if sec policy has "log at session start" and "log at session end" checked - ACC still shows everything. ACC is not real time - it has 15 min delay.
06-25-2016 10:51 AM - edited 06-25-2016 10:53 AM
Raido,
I thought about that, but the firewall have about 1 million active sessions +/- 250k at any given time. I was trying to look up how does ACC work, do you have a link to a techdoc? For sure, I am seeing long live session does not show up on ACC until the session is closed.
-E
06-26-2016 10:50 PM
How about using custom report?
If you select 'traffic log (detailed log, not summary database), you can use one column named 'elapsed time (sec)'.
06-27-2016 03:33 AM
In this case all security policies should have "log at session start" that is not default.
It is nice option but writes a lot more log and log retention period is shorter.
06-27-2016 07:00 AM
I will need to try the custom report. Thanks for the tips.
05-10-2023 12:42 PM
How about using the XML API calls on the firewall and filtering by min-age?
604800 seconds is a week.
/api/?type=op&cmd=<show><session><all><filter><min-age>604800</min-age></filter></all></session></show>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
