Hey all,
So what I've got now is this:
Watchguard M400 (edge) firewalling
Cisco 4351 Router with 2x UCS-E140S blades with ESXI6.7 doing WLC9800CL, ELK stack, pihole, and vSphere. I had the Watchguard Dimension running but my subscription ran out so now no more WG Dimension logging.
I really, really liked the insight I got with WG Dimension into what domains I was visiting as if it passed through the http(s) proxies it would get dns looked up and it was very helpful in determining what I was doing at what time. I live alone so I just like having the metrics on where my data is going. I have the ELK stack setup with Elastiflow and that accomplishes similar results the problem is that it does reverse DNS lookups and they use the FQDN's which some domains don't allow reverse DNS lookups, or if they do it's basically gibberish. WG Dimension somehow AVC'd or something and knew exactly what each site was for.
So basically, I want something like that going forward. I don't want to virtualize pfSense because my hardware is already nearing capacity (the UCSE blades aren't strong, but they do what I need/want). I can put pfSense on the WGM400 so that would be a possibility. Already have the flashcard for it too. Not a huge pfSense guy though. Never really clicked, but if someone can point mein the direction of what it would be to get metrics and DNS lookups on my traffic, I'd be down for that.
The other option I could see is moving to a Cisco ASA. We use those at work and I really should know them in and out for those reasons. But I'm not sure on the licensing aspect of it all. I know I probably won't get the IPS features or SFR/Firepower, but will I be hosed on throughput licensing, VPN functionality, or basic firewall packet inspection? Will flows, avc, routing protocols etc be available? I was thinking about buying a 5508, 5512, or 5515 as my internet circuit is 200Mb/s but bursts into 300Mb/s range on average. Can hit 500Mb/s on a good day too, but it's not a huge deal.
So basically, what product should I buy/use to get me some interesting/pretty analytics? I'd like for them to show up in ELK, but I'm a COMPLETE ELK newbie and just follow tutorials on github to get what I have now. I know there are some default ASA dashboards and UniFi has some stuff. Was looking at the USG4 PRO and that might also work out in my favor too.
So what I've got now is this:
Watchguard M400 (edge) firewalling
Cisco 4351 Router with 2x UCS-E140S blades with ESXI6.7 doing WLC9800CL, ELK stack, pihole, and vSphere. I had the Watchguard Dimension running but my subscription ran out so now no more WG Dimension logging.
I really, really liked the insight I got with WG Dimension into what domains I was visiting as if it passed through the http(s) proxies it would get dns looked up and it was very helpful in determining what I was doing at what time. I live alone so I just like having the metrics on where my data is going. I have the ELK stack setup with Elastiflow and that accomplishes similar results the problem is that it does reverse DNS lookups and they use the FQDN's which some domains don't allow reverse DNS lookups, or if they do it's basically gibberish. WG Dimension somehow AVC'd or something and knew exactly what each site was for.
So basically, I want something like that going forward. I don't want to virtualize pfSense because my hardware is already nearing capacity (the UCSE blades aren't strong, but they do what I need/want). I can put pfSense on the WGM400 so that would be a possibility. Already have the flashcard for it too. Not a huge pfSense guy though. Never really clicked, but if someone can point mein the direction of what it would be to get metrics and DNS lookups on my traffic, I'd be down for that.
The other option I could see is moving to a Cisco ASA. We use those at work and I really should know them in and out for those reasons. But I'm not sure on the licensing aspect of it all. I know I probably won't get the IPS features or SFR/Firepower, but will I be hosed on throughput licensing, VPN functionality, or basic firewall packet inspection? Will flows, avc, routing protocols etc be available? I was thinking about buying a 5508, 5512, or 5515 as my internet circuit is 200Mb/s but bursts into 300Mb/s range on average. Can hit 500Mb/s on a good day too, but it's not a huge deal.
So basically, what product should I buy/use to get me some interesting/pretty analytics? I'd like for them to show up in ELK, but I'm a COMPLETE ELK newbie and just follow tutorials on github to get what I have now. I know there are some default ASA dashboards and UniFi has some stuff. Was looking at the USG4 PRO and that might also work out in my favor too.