• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Traffic data from the logs, reports and ISP are completely different

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> Traffic data from the logs, reports and ISP are completely different Page: [1]
Login
Message << Older Topic   Newer Topic >>
Traffic data from the logs, reports and ISP are complet... - 13.Feb.2009 10:01:55 AM   
max_e

 

Posts: 4
Joined: 13.Feb.2009
Status: offline
Hello everyone!

Our customer has ISA 2006 SE. Most of the clients are SecureNAT, but there is WebProxy filter in place.
The management is worried about internet connection usage so they would like to have some sort of traffic reports - by protocols and by machines.

There are two problems:
1. ISA Reports show only a few megabytes of traffic although there were probably ten times more of for example, HTTP traffic according to logs. The ISP is also reporting a much bigger amount of traffic.
Why can this happen?

2. ISA firewall logs show about 30-40% more traffic than ISP. I investigated this and found that there are some records with ZERO bytes sent like:
ISASRV  2/11/2009  17:00:46  TCP  z.z.z.z:35234  y.y.y.y:80  z.z.z.z  Terminate  0x80074e24 HTTP  - 0 1807769

These sessions are not logged by the ISP. What do these records mean?


Best Regards,

Max
Post #: 1
RE: Traffic data from the logs, reports and ISP are com... - 13.Feb.2009 11:21:54 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Hi Max,

Is caching enabled?  Perhaps that could explain some of the discrepancy?

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to max_e)
Post #: 2
RE: Traffic data from the logs, reports and ISP are com... - 14.Feb.2009 12:57:39 PM   
max_e

 

Posts: 4
Joined: 13.Feb.2009
Status: offline
Hi richardhicks,

Yes, caching is enabled. But I tought if there is a record in a Firewall log than the object was not returned from cache. Is that correct?

(in reply to richardhicks)
Post #: 3
RE: Traffic data from the logs, reports and ISP are com... - 14.Feb.2009 1:00:08 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
There will be records in your logs for each request made of the ISA firewall, regardless where the request was ultimately served from.  Remember, this is true for requests that are denied as well, as long as you haven't disabled logging for denied requests.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to max_e)
Post #: 4
RE: Traffic data from the logs, reports and ISP are com... - 16.Feb.2009 2:22:19 AM   
max_e

 

Posts: 4
Joined: 13.Feb.2009
Status: offline
Thanks!
This can explain the difference.
Is there any way not to log the requests returned from the cache?

(in reply to richardhicks)
Post #: 5
RE: Traffic data from the logs, reports and ISP are com... - 16.Feb.2009 12:32:24 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Not to my knowledge, but you should see an indication in the log records that the request was returned from cache.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to max_e)
Post #: 6
RE: Traffic data from the logs, reports and ISP are com... - 17.Feb.2009 3:41:46 AM   
max_e

 

Posts: 4
Joined: 13.Feb.2009
Status: offline
And what about the ISA reports?
They are not completely empty, but show very small amount of traffic, about 5% of the total.

(in reply to richardhicks)
Post #: 7
RE: Traffic data from the logs, reports and ISP are com... - 17.Feb.2009 12:34:13 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
The ISA reports should also indicate how many requests were satisfied out of cache...

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to max_e)
Post #: 8
RE: Traffic data from the logs, reports and ISP are com... - 19.Mar.2009 8:11:26 AM   
NickSS

 

Posts: 6
Joined: 15.Jul.2008
Status: offline
Hello All!
It seems that I have a similar problem. My ISA reports do not include Symantec Live Update traffic. I can see this traffic in logs, but it does not appear in reports. Symantec Antivirus connects to akamai network servers via FireWall Client. I've got in logs following records:

3/14/2009 10:34:22 PM 92.122.213.81 80 192.168.1.3 Internal External 0 Firewall
3/14/2009 10:34:22 PM 92.122.213.81 80 192.168.0.254 Local Host External 0 Firewall
...
3/14/2009 10:40:58 PM 92.122.213.81 80 192.168.1.3 Internal External 48780868 Firewall
3/14/2009 10:44:45 PM 92.122.213.81 80 192.168.0.254 Local Host External 50118806 Firewall

It shows traffic twice somehow (why?) and no one of this appears in the reports. How is it possible?
Cachig is off on my ISA.
NS

(in reply to richardhicks)
Post #: 9
RE: Traffic data from the logs, reports and ISP are com... - 19.Mar.2009 12:28:36 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
ISA reporting is basic at best. Use webmonitor from GFI or something similar.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to NickSS)
Post #: 10
RE: Traffic data from the logs, reports and ISP are com... - 19.Mar.2009 3:41:19 PM   
NickSS

 

Posts: 6
Joined: 15.Jul.2008
Status: offline
Thanks Steve for advice! :)
But does it mean that ISA reports are not correct by design? What are they for at all if I can not trust to them?

(in reply to SteveMoffat)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> Traffic data from the logs, reports and ISP are completely different Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts