How to monitor a endpoint for service/port traffic?
Freshman Member
Hello,
I was wondering how we would go about this. I have a client that I am auditing outbound traffic for (I am creating a security policy to prevent unapproved outbound traffic).
I would like to start by analyzing the outbound traffic and see what is currently being used. I can kind of do this by going to monitor→Traffic Statistics→Traffic Statistics. However, that only shows the top 20 and not all traffic that is outgoing. It also doesn't show what particular system this is tied to.
I know I can create a security policy and then log/log alert that policy. I need something more intuitive.
At the end of the day I am trying to monitor an endpoint to see all the outbound traffic on that device.
All Replies
-
Even if there was a 24hr monitor then you make rules to allow the traffic you could be allowing something you don't need to allow.
What I do it just block everything LAN to WAN then start allowing ports, IP subnet or FQDN then look in the log for block traffic to see if its needed for something not working.
What you might like is this idea on a given PC to link to the firewall giving you App level like control
0 -
Since this is a client (we are an MSP), I cannot create "trouble" for them by blocking ports randomly. I need some way to have a log of all the traffic from the endpoints so I can analyze the traffic and then update my LAN to WAN rule (I already have a rule in place for this, but I am trying to see if some of the older allowed services are still in use).
0 -
I guess you can have a LAN to WAN log alert in allow then you get a Email or you packet capture with number of byes to capture say 100 then load wire shark a view traffic outgoing with port TCP or UDP to know what to allow
0 -
I appreciate your suggestions PeterUK, but I am looking for something more definitive.
For instance, it would be great to be able to setup a "rule" to monitor all traffic from a device at the firewall level. It seems kind of insane to me that something called a "Security Appliance" doesn't have this kind of capability.
I mean I have created a security policy with log alert to do this in the past, but that isn't a good option just to get traffic information from an endpoint.
0 -
Not sure if nebula might have the answer
But depending on what traffic is needed you can be faced with Apps that go full port range or even a App the has a fixed source port and random destination port which no USG model supports for a firewall rule to allow a given source port to any destination port.
0 -
Hi @lytespeed,
Nebula supports checking client's application in client page.
Not sure if this meet your requirement. If you're interested, you can visit Nebula with a demo account when logging in.
Zyxel Melen0
Guru Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 102 Nebula Status and Incidents
- 5.8K Security
- 305 USG FLEX H Series
- 283 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 255 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.7K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 77 Security Highlight
