About Connection Events
The system can generate logs of the connections its managed devices detect. These logs are called connection events. Connection events include Security Intelligence events (connections blocked by the reputation-based Security Intelligence feature.)
Connection events generally include transactions detected by:
-
Access Control policies
-
SSL policies
-
Prefilter policies (captured by prefilter or tunnel rules)
-
DNS Block lists
-
URL Block lists
-
Network (IP address) Block lists
Settings in rules and policies give you granular control over which connections you log, when you log them, and where you store the data.
For detailed information, see Connection Logging.
Connection vs. Security Intelligence Events
A Security Intelligence event is a connection event that is generated whenever a session is blocked or monitored by the reputation-based Security Intelligence feature.
However, for every Security Intelligence event, there is an identical connection event. You can view and analyze Security Intelligence events independently. The system also stores and prunes Security Intelligence events separately.
Note that the system enforces Security Intelligence before more resource-intensive evaluations. When a connection is blocked by Security Intelligence, the resulting event does not contain the information that the system would have gathered from subsequent evaluation, for example, user identity.
Note |
In this guide, information about connection events also pertains to Security Intelligence events, unless otherwise noted. |
NetFlow Connections
To supplement the connection data gathered by your managed devices, you can use records broadcast by NetFlow exporters to generate connection events. This is especially useful if the NetFlow exporters are monitoring different networks than those monitored by your managed devices.
The system logs NetFlow records as unidirectional end-of-connection events in the Firepower Management Center database. The available information for these connections differs somewhat from connections detected by your access control policy; see Differences between NetFlow and Managed Device Data.
Connection Summaries (Aggregated Data for Graphs)
The Firepower System aggregates connection data collected over five-minute intervals into connection summaries, which the system uses to generate connection graphs and traffic profiles. Optionally, you can create custom workflows based on connection summary data, which you use in the same way as you use workflows based on individual connection events.
Note that there are no connection summaries specifically for Security Intelligence events, although corresponding end-of-connection events can be aggregated into connection summary data.
To be aggregated, multiple connections must:
-
represent the end of connections
-
have the same source and destination IP addresses, and use the same port on the responder (destination) host
-
use the same protocol (TCP or UDP)
-
use the same application protocol
-
either be detected by the same Firepower System managed device or by the same NetFlow exporter
Each connection summary includes total traffic statistics, as well as the number of connections in the summary. Because NetFlow exporters generate unidirectional connections, a summary’s connection count is incremented by two for every connection based on NetFlow data.
Note that connection summaries do not contain all of the information associated with the summaries’ aggregated connections. For example, because client information is not used to aggregate connections into connection summaries, summaries do not contain client information.
Long-Running Connections
If a monitored session spans two or more five-minute intervals over which connection data is aggregated, the connection is considered a long-running connection. When calculating the number of connections in a connection summary, the system increments the count only for the five-minute interval in which a long-running connection was initiated.
Also, when calculating the number of packets and bytes transmitted by the initiator and responder in a long-running connection, the system does not report the number of packets and bytes that were actually transmitted during each five-minute interval. Instead, the system assumes a constant rate of transmission and calculates estimated figures based on the total number of packets and bytes transmitted, the length of the connection, and what portion of the connection occurred during each five-minute interval.
Combined Connection Summaries from External Responders
To reduce the space required to store connection data and speed up the rendering of connection graphs, the system combines connection summaries when:
-
one of the hosts involved in the connection is not on your monitored network
-
other than the IP address of the external host, the connections in the summaries meet the summary aggregation criteria
When viewing connection summaries in the Analysis > Connections submenu pages, and when working with connection graphs, the
system displays external
instead of an IP address for the non-monitored hosts.
As a consequence of this aggregation, if you attempt to drill down to the table view of connection data (that is, access data on individual connections) from a connection summary or graph that involves an external responder, the table view contains no information.