FirePlotter is a powerful application that lets you monitor the traffic is passing through your Cisco or FortiNet firewall. It enables you to see how many sessions, what type of sessions (email, web browsing, file transfer etc), which direction (inbound or outbound) and how much bandwidth is being used by each (Kbits/sec). This information is displayed in real-time in both tabular and graphical format providing updated real-time snapshots of network activity and availability. FirePlotter also records all the session and bandwidth data it collects so you can replay the data collected to review any event historically.
We highly recommend watching all of the training videos below. FirePlotter 2.0 Demonstration/Training Video(s) Click on the links below to watch either the full FirePlotter Demonstration/Training Video that includes all sections listed below. Or click directly on an individual section of your choice (we recommend all sections!): Full FirePlotter Demonstration/Training Video
FirePlotter Online Help is divided into the following sections:
 Tip - How to Quick Search this Help Page
Did you know that in any web page (on all websites) you can press and hold down [CTRL-F] at any time and a Find Window like this will open?
You can use [CTRL-F] to search this Online Help page. Simply press [CTRL-F] and then type in the text you are searching for. Use the Previous and Next buttons to move through the page. Press the red X in top right of the Find Windows to close it.
Quick Start Guide
FirePlotter is easy to get going and use. You can view Introduction to FirePlotter, Quick Licensing and Connect and Record videos to learn more.
FirePlotter supports Microsoft Windows XP/2003/Vista/Windows7 platforms.
FirePlotter supports all Cisco ASA/PIX Firewalls (v6.x, v7.23 and above (more >>) and 8.x) and FortiNet FortiGate Firewalls (v2.8 and v3.0).
FirePlotter uses a SSH (secure shell) or telnet session to the firewall to get the firewall's real-time session information. So all you need to do to get FirePlotter working is make sure you can connect and login to the firewall using SSH or telnet. If you don't already know how to do this then see the "Setting Up" sections (Cisco/FortiNet) below.
FirePlotter quickly answers questions like "Who is using my bandwidth?", "What is using my bandwidth?", Who is eating my bandwidth?" or "What is eating my bandwidth?".
To connect FirePlotter all you need is:
1) the IP address of the Cisco or FortiNet firewall
2) to be able to access the firewall using ssh or telnet protocol
3) working SSH or telnet login credentials with admin/enable rights*
*for FortiNet this must be the "admin" username.
Enter this data into FirePlotter fields at the top and press Connect and you are away into the wonderful world of finally seeing what is really happening on your internet connection(s)! As soon as you are connected to your firewall, FirePlotter starts recording the data saved in the FirePlotter Recorded Data folder, accessible (and re-playable) from the File, Open Recorded Data menu option.
Tip - Please note we generally recommend using SSH rather than telnet to connect FirePlotter to your firewall. This is because SSH provides a secure encrypted connection, this means that your firewall session data that is transmitted between the firewall and FirePlotter is not able to be sniffed/hacked. Also, if you are connecting to a Cisco ASA or PIX firewall, SSH is better optimised for performance on these platforms than telnet.
Upgrades
Tip - If you are upgrading your version of FirePlotter, please remember to backup your FirePlotter.ini file if you've changed it, as it gets overwritten by the upgrade process. There may be differences in the format of FirePlotter.ini between released versions of FirePlotter. So you may need to re-create your FirePlotter settings in FirePlotter.ini after an upgrade.
Free Mode vs. Licensed Mode
FirePlotter can be run in Free Mode or (paid for) Licensed mode - see the differences between the two here: Free vs. Licensed Mode - Comparison Chart
Installing FirePlotter License File
When you have received your FirePlotter 14-day evaluation license or 1-Year full license file, this file should be placed in the FirePlotter data folder before launching the application. Note, the FirePlotter data folder is only accessible once you have installed the FirePlotter application itself.
This folder is easily accessible by going to the Windows Start, All Programs, FirePlotter, Browse FirePlotter data folder menu option. You can then drag-and-drop your license file into this folder. See Quick Licensing video (1 minute) for more information.
FirePlotter Controls & Views
The FirePlotter windows can be divided into 7 sections: Menu Bar Connection Bar, Focus Bar, Session Tables Section, Control Bar Section, Graphical Bandwidth Plotting Section and Status Bar: 
Menu Bar
The File Menu provides options to "Open Recorded Data, "Open fireplotter.ini" (see FirePlotter.ini ), and "Open FirePlotterDebug.txt and the "Exit" the application. The "View", "Mode" (View Mode) menu option can be used to toggled between "Basic" and "Advanced" View Modes (see View Modes: Basic & Advanced). The Help Menu options are: "Online Help" (taking you to this web page), "Check for Updates Online" (taking you to a web page to check you have the latest version of FirePlotter), many other help options and "About FirePlotter" (see FirePlotter Licensing ).
Connection Bar
Here you can select Cisco ASA/PIX or FortiNet FortiGate firewall type, Connection Type (Telnet), enter the IP address or DNS name (e.g. 192.168.1.1 or firewall.test.com) and telnet login credentials for the firewall to be monitored.
Focus Bar The FirePlotter Focus Bar clearly informs you about what you are viewing. The Focus Time and Date tell you the date and time of current snapshot being displayed in the session table. Firewall Unit Name, Address, Model and Firmware version are also displayed. Real Time and Date is displayed so you can compare wth the Focus Time and Date. When FirePlotter is in real-tiime mode then the Focus Time and Date will be almost exactly as Real Time and Date (as below). However, if you choose to play historical data then the Focus Time and Date will show the Time and Data of the data you choose to replay. The Focus bar also shows the Active Filters currently applied to the session table view (where D = Direction, SIP = Source IP Address, DIP = Destination IP Address, S/DP = Service /Destination Port Number, and IPP = IP Protocol). See Understanding Zoom In, Active Filters and Summary Filters. The View Mode setting of Basic or Advanced is next (see View Modes: Basic & Advanced). Also displayed is Sessions: XXXX/YYYY where XXXX=number of sessions currently displayed in the Session Table and YYYY=total number of sessions passing through the firewall.
Session Tables Section
The traffic monitored by FirePlotter is divided into Inbound and Outbound. Inbound traffic is defined as sessions that is initiated from outside of the firewall passing inside. Outbound traffic is defined as any sessions that are initiated from the inside of the firewall passing to the outside. Until FirePlotter is developed to differentiate between all possible firewall interfaces, any DMZ ports on a firewall are considered as "inside". So sessions passing from DMZ(s) to Outside is considered as Outbound sessions and vice verse.
Once FirePlotter is gathering real-time data you can double click in the Session Table Section on any of the Direction, Source IP, Source Port, Destination IP, Service /Destination IP, IP Protocol Fields, Sessions fields to zoom into specific real-time session information. So if you double click on a line in the Source IP address column with single IP address being displayed, you will drill down into all the sessions related to that IP address. Or if you click on a line in the Service/Destination Port column where it says HTTP (80) is being displayed you will drill down into all HTTP traffic passing through the firewall.
Tip - once you have drilled down, you may choose to activate a Summary Filter - for example by Service/Destination - see Control Bar
Tip - You can also click on any of the column headings to re-order into ascending order the whole session list by the data in that column.
Tip - To reset back to the "Default view" - right-mouse click anywhere in the Session Table and select "default view"
Tip - you can see what filters are active as you drill down by viewing the left portion of Status Bar at the bottom of the FirePlotter screen.
The default view summarises the sessions by Inbound and Outbound sessions, and then by Service/Destination IP.
Where Source IP field or Destination IP fields shows "..." then this indicates multiple addresses and may be double clicked on to get more information on what those IP addresses are.
Where possible FirePlotter will resolve IP addresses to Fully Qualified Domain Names (FQDNs) or NetBIOS Names (optional). When an IP address is displayed in brackets e.g. (192.168.1.1) - this indicates that FirePlotter is still attempting to resolve a name to the IP address. See FirePlotter.ini for how to set name resolution options.
Note that FirePlotter suppresses monitoring of its own SSH or telnet traffic on the session tables or graphing of traffic.
Also please note for Cisco ASA/PIX users: Cisco do not provide session data in PIX 6.x for connections directly to the PIX interfaces. This means that management connections such as SSH or HTTPS are not displayed. This also means that VPN connections terminated at the PIX are not reported. However, in PIX 7.x this session data is provide and so FirePlotter can display bandwidth usage and session data for all connections terminated at the PIX interfaces (SSH, HTTPS, VPN etc).
Control Bar
In the Control Bar there is "Summarize Table by" drop down menu, providing the options to summarize (i.e. count the number of sessions) by: No summary, Source IP, Destination IP, Service/Destination Port, IP Protocol and Direction. Also here is the option to return to the Default view, to Pause or Play, change the Play Interval to 0,1,2 seconds and to Reset to Real Time.
Graphical Bandwidth Plotting Section
The graphical section displays Inbound and Outbound Bandwidth Usage in KBits/Second over time by Service/Destination Port. The colours of services are set in the FirePlotter.ini file. For example: Email (SMTP) traffic is red; Web Browsing (HTTP) is green; Secure HTTP (HTTPS) is gold; FTP is brown.
FirePlotter's Graphical Bandwidth Plotting as well as graphing the total bandwidth for the 8 configurable key protocols (Ping, FTP, SMTP, DNS, HTTP, POP3, HTTPS & RDP) is also continually ensuring the protocol consuming the most bandwidth is always graphed with a Trace line. The Trace line is often not visible on the graphs as the protocol consuming the most bandwidth is usually one of the 8 key protocols which are already graphed. On occasions where a non key protocol is consuming the most bandwidth then the Trace line appears and the associated protocol entries in the Session Tables are highlighted with the same colour. The Trace line protocol can change second by second as different applications consume for available bandwidth. The default Trace colour is a pale blue and when it appears on the Graphical Bandwidth Plotting is a slightly thinner line than the key protocols.
FirePlotter let's you review historical data by clicking your mouse on the area of the graph you are interested in. See FirePlotter Replay
Status Bar
 From left to right the first part of the Status Section indicates the Recording Status that includes the Firewall Unit Name, IP Address , model and firmware version.The next section indicates when the when the next update of session data will start and indicates on first connection how many blocks of data are being downloaded to get all the session data from the firewall, from then on it indicates a estimate in percentage (%) of sessions data to be downloaded. The last displays the recoding time in Days, Houts Minutes and Seconds since FirePlotter first started recording session data from the firewall. Tip - You can use the Windows XP/Vista key combination of [Ctrl+Alt+PrtScn] to copy a screenshot of the ‘active’ window (in this case the FirePlotter application) to the clipboard at anytime. You can then paste this image into any other application of your choice. Managing Profiles
When FirePlotter connects to a firewall for the first time the Profile Manager asks if you would like to save the connection settings you have used in a "Profile" using the Connect Profile Editor:  
You have the option of changing the Profile Name. Note that the profile name, also "names" the folder in the FirePlotter Recorded Data path where the .fpr files of the recorded data will be stored. So for example, the above profile named "ASA Firewall" would create data path: C:\Users\[User]\AppData\Roaming\FirePlotter\RecordedData\192.168.68.90 ASA Firewall\ for its recorded data.
The Download Filter in the profile settings can be used to limit the data that is downloaded from the firewall. This is particularly useful for firewalls that have many, many thousands of connections, and remember that you can run multiple copies of FirePlotter that have different download filters set. Also note that if running multiple FirePlotter profiles connected simultaneously to the same firewall, then the profile name should be different for each profile that is connected (to ensure .fpr files are kept separate).
For a Cisco ASA or PIX firewall the field can be completed as: address 192.168.68.0 netmask 255.255.255.0 port 25 to only download session data relating to the set filter. The options are: address x.x.x.x (source or destination), dest_ip x.x.x.x (range also permitted, 10.1.1.1-10.1.1.5), src_ip x.x.x.x (range also permitted, 10.1.1.1-10.1.1.5), src_port x (range also permitted, 1000-2000), dest_port x (range also permitted, 1000-2000), netmask mask x.x.x.x , port x , protocol {tcp | udp} - these options are from the show connections command. Please note these commands are only supported in ASA/PIX 7.x and above. These filter options are set by Cisco (and not FirePlotter).
For a FortiNet FortiGate firewall the field can be completed as: dia sys session filter dst 193.82.154.9 to only download session data specific to this destination IP. The options are: dport x, dst x.x.x.x (dest ip), address x.x.x.x (ip), duration x, expire x, ,policy x (policy id), proto x (protocol number), sport x (source port), src x.x.x.x (source ip). These filter options are set by FortiNet (and not FirePlotter). Please not that these commands are only supported in firmware 3.0 MR6 and above.
The Record Interval sets the time in seconds between FirePlotter retrieving session data from the firewall. The Auto Connect option, if enabled means that when the profile is selected via the command line option: FirePlotter.exe /Profile:<profile name>, then FirePlotter will connect automatically. If the Auto Connect option is not enabled, then when the profile is selected from the command line, the connection settings will load, but the FirePlotter will ask if you want to connect or cancel. The Auto Reconnect option, if enabled means that FirePlotter will automatically reconnect to the firewall if the connection is lost, and will keep attempting to reconnect until connection is re-established. After each re-connection attempt, FirePlotter doubles the time to wait for the next attempt. View Mode selects which viewing mode will be operational when FirePlotter connects. See View Modes: Basic & Advanced for more information on view modes. The External Interface can be used for FortiNet Firewalls only and sets which interface(s) is/are “outside, internet facing”. Default on Cisco ASA/PIX is ethernet0 interface. Default on FortiGate (multiple entries permitted): WAN1, WAN2 and Port1. No setting is possible for Cisco firewalls. Monitor HA Cluster is only available for FortiNet firewall, and should be enabled if the FortiNet firewall is in High-Availability mode. If the cluster is in Active-Active mode, then FirePlotter will monitor and record sessions through both units. The Socket Timeout may be increased for slow firewalls, that take a long time for prompts to appear for example. Click "Save" to save the profile. "Help" button links to this section in the Online Help.
View Modes: Basic & Advanced and Trace Line
See Basic And Advanced View Modes and Trace Line video (4 minutes) for more information. Basic View Mode lists only the key services (e.g. HTTP, SMTP etc) and Advanced Mode shows all services passing through the firewall in the Session Table. You can switch modes either via the View, Mode menu option, or by Right Mouse Click option when hovering over Session Table.
In the licensed version (or 14-Day evaluation license) of FirePlotter there is the option to switch between Basic and Advanced View Mode . An unlicensed "Watch Only" mode FirePlotter will only run in Basic View Mode.
By default, Basic Mode will only monitor the key Service/Destination Ports listed in the [Ports] section of the fireplotter.ini file (see FirePlotter.ini).
The key Services/Destination Ports monitored in Basic View mode by default are: Ping, File Transfer (FTP), Email (SMTP), Domain Name Service (DNS), WebBrowsing (HTTP), Email (POP3), Secure Web Browsing (HTTPS), Remote Desktop (RDP) and the Trace Line.
The session lines and bandwidth consumed are colour coded in session table and the graphs. If a service/destination port is not configured in fireplotter.ini (Ports] section, then that traffic will not show in FirePlotter Session Table or Graphical Bandwidth Plotting that is running in Basic View Mode, unless it is the Trace Line (see more on Trace Line below). So then, the only way to monitor service/destination ports that have not been configured in fireplotter.ini [Ports] section is to switch to Advanced View Mode. Note that the editing of FirePlotter.ini file is only available if you have a 14-Day Evaluation or a purchased License.
The screenshot below is of FirePlotter in Basic View Mode (listing the key Services/Destination Ports mentioned above): 
Screenshot below of FirePlotter in Advanced View Mode: 
The Trace Line in pale blue in either the Session Table or in the bandwidth graphing shows you any service/DestinationPort traffic that is taking up the most bandwidth, provided it is not one of the key services/Destination Ports monitored. So in the screenshot below we can see clearly see in the Session Table that it is Syslog both Inbound and Outbound that in that snapshot at 07:21:47 that was using most bandwidth, hence those lines are coloured in the light blue trace line colour (as SysLog has not been set a colour in FirePlotter.ini). The bandwidth usage is also displayed in the Trace Line colour in the Inbound and Outbound Graphs. Notice at the end of the graph, the green HTTP traffic is now showing most traffic, so the highest peak is in green (a colour that is set in fireplotter.ini).
 Understanding Zoom In, Active Filters and Summary Filters See Zoom and Filters video (5 minutes) for more information.
OK, Lets go through the many filtering views that FirePlotter gives you. When you first load FirePlotter it extracts the session table from your firewall and automatically displays the session table in the "Default View" summarising by Service/Destination Port (as indicated at the bottom of the screen) and sorted by the ‘Direction’ and then ‘In Bytes/s’ columns. The Default View is a special view only available when FirePlotter first connects or when Default View button is clicked or Default View is selected from Right Mouse Click options when hovering over Session Table. Notice that the Sessions column shows how many SMTP or HTTP sessions are passing through the firewall - something like this: 
As an aside, notice, that if you click on the word Sessions at the top of the Session column (or any of the column titles) FirePlotter will re-order the session table display in descending value order. Like this: 
Now lets turn off the Summary filter by changing the Summary filter setting at the bottom of the screen. Notice you will now get a long list of all the sessions going through the firewall, one line per session (notice scroll bar on top right), and Summary Filter is set to No Summary (notice the session column again, now 1 session per line) - something like this: 
OK, so now let's switch back to Summary Filter by Destination/Service Port. Now you can see that Sessions are summarised by Service again. Now lets zoom into a particular internal IP address. We know it is internal as we are selecting from an Outbound Sessions, so the source IP will be an internal device. Let's select 192.168.68.14 and double click on that... 
Now because we clicked on 192.168.68.14 with Service/Destination Port of HTTP (Port 80), we now see all HTTP sessions relating to this device. Notice what the active filters are displaying in the Status Bar at the bottom of the screen, and notice that Summary Filter has switched to No Summary. 
Once you have taken that in, then we can zoom in to see all the traffic (not just HTTP) that this device is sending through the firewall by double clicking in 192.168.68.14 again (highlighted above) - but this time we are not in a summary mode so now we get: 
So to tidy up a bit we could turn on Summary Filter by Service Destination and we would get this, a nice summary of what just this device is doing: 
Then we can click on the Default View Button to take us back to the starting point and explore other sessions in a similar manner. It's easy to understand and use the Zoom In mode and to read the Active Filter status and use the Summary Filter. Really Easy!
FirePlotter Replay For more information see 4 minute Replay training video.
FirePlotter records all the data it collects and has the capability to reload a session table snapshot or replay session data that was seen over a period of time. There are two ways to do this: Click on Graph or Open Recorded Data. Click on Graph Method
First we can click on the graph at a time period we want to review. So for example in this screen shot we can see a peak which we have clicked on and FirePlotter is asking if we want to reload this data: 
If we click OK, we then see FirePlotter loads the session table from that moment. Notice the Focus Time is now the time we selected on the graph, also FirePlotter has been Paused (so the Play button is now available) and we can see in that Secure web Browsing line that In Bytes/Sec is higher than everything else:  Now if we double click on the words "Secure Web Brow..." in the Service/Dest Port column we can "Zoom" in on the data and can see specifically which session was creating that peak:  If we wish, we can now click on the "Play" button to let FirePlotter catch back up it's focus time to real time File Open Recorded Data Method To access FirePlotters recorded data further back in time than the data plotted on the graph, we can go the the Menu option, File, Open Recorded Data and then select Firewall, Date, Hour and then select .fpr file we want to load. FirePlotter will then load that session and start playback with a 2 second interval between each snapshot played. At any point you can click on the "Pause" to study using Zoom and Summarize features of FirePlotter. And of course you can click on graph to review again if needed. Note that FirePlotter can record huge quantities of data when recording your firewall - see next section. Managing Disk Space FirePlotter automatically stores the session data it collects in individual .fpr files (e.g. 090820-104146.fpr). The very first time you run FirePlotter, after a few minutes recording you will get the "FirePlotter Recorded Data Max File Count" warning message:  FirePlotter's default setting is to keep 250 .fpr files (each file represents a session table snapshot). This screen tells you how much disk space keeping those rolling 250 files will take up, and how much historical time the files represent. Also, if you want to keep 1 hour or 24 hours of historical data on disk, this screen tells you what value you need to set FPRMaxFileCount to in FirePlotter.ini or Maximum File Count in Global Settings, Recording in order to achieve that. Here is more information on FPRMaxFileCount from the FirePlotter.ini file: ; FPRMaxFileCount= Sets number of FirePlotter Record files to keep on a rolling rotation
; Default is 250 and maximum value is 20000 (20,000)
; Set FPRMaxFileCount=0 to keep all date - be aware, can use an enormous amount of disk space!
If you set FPRMaxFileCount to 0, to keep *all* data recorded (i.e. not delete any of it), then we recommend that users of FirePlotter investigate Cyber-Ds Autodelete freeware product that can be used along with Windows Task Scheduler as required. When FPRMaxFileCount is set to 0, when exiting FirePlotter you are not given the option to keep or delete the stored data. If FPRMaxFileCount is 1, then then .fpr data is not saved, and you are not given the option to keep or delete the stored data when you exit FirePlotter. If FPRMaxFileCount is > 1, then upon exiting FirePlotter you will be asked if you want to keep or delete the stored data. Your fireplotter.ini settings also include a parameter to set the path for FPR (FirePlotter Recording) data storage. So for example you may want to have FirePlotter save it's FPR files on a non-boot disk (D:, E:, etc).
The path must exists (FirePlotter will not create it). The parameter, in the [Data] section is: FPRDataLocation=c:\Temp\RecordedData The default locations for FirePlotter to store Recorded Data are for Windows XP/Windows 2K3 : C:\Documents and Settings\[User]\Application Data\FirePlotter, and for Windows Vista/Windows 7: C:\Users\[User]Tim\AppData\Roaming\FirePlotter\RecordedData How to "find" an IP address in FirePlotter One thing you can do to find an IP address really easily right now is when in Advanced View Mode: From the Default View first press Pause to stop it updating - so you can see the snapshot of all the sessions. Then change the drop down at the bottom left to Summarise By: Source IP. Then click the top of the Source IP address column to re-order the column by IP address in ascending order. You can then scroll down to the address you want, then double click to Zoom in to the specific IP address you want to. Once zoomed in - you might want to re-enable the Summary By Service/Destination Port if there are lots of connections. You can also re-enable Play so you can see in real-time what that IP address is doing. Setting Up Your Cisco ASA/PIX Firewall for FirePlotter We always recommend that the SSH protocol is used to connect FirePlotter to your ASA or PIX firewal (rather than telnet protocol). We have found that telnet can experience occasional data corruption that can create a problem for FirePlotter. In the event that FirePlotter experiences any problems working with your firewall, then we will always ask you to switch to SSH to see if that resolves the issue. Also, because SSH protocol is an encrypted communication protocol, it is inherently more secure than open-text telnet. For SSH connections: If you wish to allow FirePlotter to make a SSH connection to a Cisco ASA/PIX, you need to configure your ASA/PIX for SecureShell (SSH) connections. More information on configuring SSH on a Cisco Firewall click see: Configuring PIX 6.x to Accept SSH Connections
Configuring ASA/PIX 7.x and above to Accept SSH Connections More information on configuring SSH on a Cisco Firewall is available here from Cisco:
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1375161 Once ssh is configured on you Cisco ASA/PIX you can test SSH from the PC your are using for FirePlotter. You will need to connect to the firewall using a SSH utility like PuTTY. See http://www.putty.org/ For Telnet connections: If you wish to allow FirePlotter to telnet to a Cisco ASA/PIX, you need to configure which hosts are allowed in. To allow a single host to telnet in via the inside interface:
telnet 10.1.1.100 255.255.255.255 inside
To allow any PC on subnet 10.1.1.0 /24 to telnet in via the inside interface:
telnet 10.1.1.0 255.255.255.0 inside More information on configuring telnet on a Cisco Firewall is available here from Cisco:
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/t.html#wp1483242 Once telnet is configured you can test telnet from the PC you are using for FirePlotter. You'll need to connect to the firewall using the Microsoft Windows Telnet client (standard in Windows/2000/XP, but see Installing Telnet in Windows Vista to get this working for Vista) To test the telnet connection, open an MS-DOS box type "telnet x.x.x.x" where is the IP address of the interface and press enter. You will then be prompted for login. Enter credentials to login. You should see a screen that looks like: User Access Verification Password: Type help or '?' for a list of available commands. firewall> enable Password: ********* firewall# Note: you may need to enter into FirePlotter Enable Username (optional), Enable Password, Telnet Username, Telnet Password - depending upon how your Cisco Firewall is configured. If during Telnet testing you are not prompted for Username then leave the FirePlotter Username field(s) blank. Note: if you are connecting FirePlotter to a Cisco ASA/PIX firewall via a VPN, you will need to have the "management-access outside" command set, in order for you to access the internal interface telnet IP address from the outside. Note: if you are using Cisco FWSM (Firewall Service Module) in a Cisco Switch (in this example a Cisco 6513), then here are some tips on how to set-up telnet access. These tips assume you have access to the switch console port and login/enable credentials:
1) Ensure config tells Cisco 6513 switch which vlans to allocate to the fwsm via switch console port using show config :
firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
firewall vlan-group 1 5,50-52,110,120,130,140,150,210,220,330,340,350
2) Issue commands to get into fwsm console configured as above:
• Cisco IOS software
Router# session slot 7 processor 1
• Catalyst operating system software
Console> (enable) session 7
then login
3) Check/Use commands associated with the fwsm:
firewall transparent
nameif vlan5 outside security0
nameif vlan50 inside security100
as you can see the same as ASA/PIX except using the vlans allocated from the switch
ip address allocated to this context for management or traffic initiated from the context e.g. logs(FWSM calls the Virtual firewalls 'contexts'):
ip address 10.1.1.250 255.255.255.0 standby 10.1.1.2 (there may not be a standby if you only have one fwsm)
4) Setup telnet access to the inside interface (to edit fwsm config use Conf t to edit & CTRL-Z to exit & wr mem to Save):
telnet 10.1.1.0 255.255.255.0 inside
5) Assuming coming from VLAN 50, Telnet to 10.1.1.250 and login! Note: FirePlotter is a powerful real-time tool that can be used to augment Netflow analysis products.
Setting Up Your FortiNet FortiGate Firewall for FirePlotter Configuring your FortiNet Firewall to talk to FirePlotter is very easy. Note: it is a "feature" of FortiNet FortiGate firewalls that only the "admin" user login will provide session table information that FirePlotter needs (unless you create in the FortiGate System, Admin, Access Profile with Access Control set User with "Maintenance" as "rw" and "Network" "ro" that is applied to the login credentials you are going to use). For SSH connections: To setup the FortiGate for SSH, using the web GUI login to your FortiGate with admin credentials, then go to System, Network and Edit the interface then select the SSH and ping tick boxes and click OK. Make a note of the IP address of the interface. Once SSH is configured on you FortiGate you can test SSH from the PC your are using for FirePlotter. You will need to connect to the firewall using SSH utility like PuTTY. See http://www.putty.org/ For Telnet connections: To setup the FortiGate for telnet, using the web GUI login to your FortiGate with admin credentials, then go to System, Network and Edit the interface then select the telnet and ping tick boxes and click OK. Make a note of the IP address of the internal interface. Note: FirePlotter usually will be used to talk to the the Internal interface of your firewall, but it can be any interface, although if it is internet facing interface you may not want to activate telnet for security reasons. Then test you can reach the firewall from this PC by running a ping test. This is done by opening a MS-DOS box on your PC (by clicking Start, Run and entering "cmd" and pressing enter for Windows 2000/XP, or by pressing the Windows Start button and typing "cmd" in the field that says Start Search. in Windows Vista. Then type ping x.x.x.x where is the IP address of the interface you activated for ping and telnet. If you get a response like: Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
...then you are ready to test the telnet connection. If you get:
Request timed out. ...then you need to ensure that the PC you are planning on using for FirePlotter is correctly configured to access the firewall. Check IP address, subnet, and default gateway. Further debugging of this problem is beyond the scope of this document. To test the telnet connection from the PC you are using for FirePlotter you must connect to the firewall using the Microsoft Windows Telnet client (standard in Windows/2000/XP, but see Installing Telnet in Windows Vista to get this working for Vista) To test the telnet connection, in the same MS-DOS box that you used for the ping test, type "telnet x.x.x.x" where is the IP address of the interface you activated ping and telnet on and press enter. You will then be prompted for login. Enter admin credentials to confirm that they work. You can expect to see something like this: FG-1000A-GISS-FD login: admin Password: ******** Welcome ! FG-1000A-GISS-FD # If your login works, then you are now ready to use FirePlotter. Tip - FirePlotter can filter the session data it receives from the FortiGate, see Can I filter FortiGate firewall sessions before they are sent to FirePlotter? FirePlotter.ini We suggest watching the 5 minute FirePlotter.ini Settings video before reading this section. The fireplotter.ini file can be edited via the Menu Bar option: "File", "Open fireplotter.ini". FirePlotter is installed by default in C:\Documents and Settings\[UserName]\Application Data\FirePlotter in Windows XP, or in C:\Users\[UserName]\AppData\Roaming\FirePlotter in Windows Vista or Windows 7 or in C:\Documents and Settings\[UserName]\Application Data\FirePlotter in Windows 2003 Server. By reading the in-file documentation you can see how to set up automatic login by setting the IP, and login details in the [Connection] Section. Also there is the ExternalInterfaces setting to set for FortiGates which interface is outside/internet facing interface (thus determining how FirePlotter shows In-bound & Out-bound sessions. The Default is ‘wan1, wan2, external and port2’ so if for example your internet side interface is Port1 on your FortiGate, just set ‘ExternalInterfaces=port1’ in [Connection] section. This setting is not required for Cisco Firewalls. In the [Display] section you can set the default refresh interval and whether name resolution uses Reverse DNS, NetBIOS or Firewall Configuration* (*Cisco only) - for more information on this see DNS or NetBIOS names not resolving? Also there is the opportunity to customise the text that FirePlotter displays in the Service/Destination Port column by modifying or adding to the [Ports] Section. In the [Protocols] section there is the opportunity to do the same for the IP Protocol column. In the [Colours] section there is the possibility to customise FirePlotter to display colours of your choice for the Service/Destination Port. The choice of colours are displayed both in the session list and the graphs. Colour choices are to be found here: www.fireplotter.com/doc/FirePlotterColours.htm Default fireplotter.ini file: ; FirePlotter.ini
; Documented for version 2.01 ; ***** Please note:
; * Subsequent FirePlotter upgrades may overwrite this INI file so maintain regular backups
; * FirePlotter must be restarted for changes to INI to be used
; * These parameters are only used with a licensed copy of FirePlotter [Connection] ; Firewall= Firewall type (ASA/PIX, FortiGate). Default ASA/PIX
; IP= Firewall IP address
; Port= TCP port for connection i.e 22 (SSH), 23 (Telnet) or something else. Defaults 22 (ssh)
; Protocol= Protocol for connection i.e. ssh or telnet. Default ssh ; CiscoSSHUsername= Cisco SSH username
; CiscoSSHPassword= Cisco SSH password
; CiscoTelnetUsername= Cisco telnet username
; CiscoTelnetPassword= Cisco telnet password
; CiscoEnableLoginName= Cisco enable login name
; CiscoEnablePassword= Cisco enable password ; FGTLoginName= FortiGate login name
; FGTPassword= FortiGate login password ; SocketTimeout=5 Can be increased in the event of slow connections
; Default 5 seconds. ; Auto-Connect=true True: connect to firewall with ini parameters without waiting for Connect button
; False: need to press Connect button to connect with .ini parameters
; Default false ; Auto-Reconnect=true True: automatically reconnects to firewall in the event of a connection failure
; False: no automatic reconnect is performed
; Default true ; BasicViewMode=false False: FirePlotter shows all service/destination ports.
; True: FirePlotter shows those service/destination ports listed in the [Colours] section below
Default true ; ExternalInterfaces=wan1 Sets which interface is “outside, internet facing” on a FortiGate only. Not required for Cisco firewalls
Default ASA/PIX ethernet0, FortiGate WAN1, WAN2 and Port1 ;Firewall=ASA/PIX
;IP=
;Port=22
;Protocol=SSH
;CiscoSSHUsername=
;CiscoSSHPassword=
;CiscoTelnetUsername=
;CiscoTelnetPassword=
;CiscoEnableLoginName=
;CiscoEnablePassword=
;FGTLoginName=
;FGTPassword=
;Auto-Connect=true [Display] ; Refresh=5 Screen refresh interval in seconds (1, 5, 10, 15 & 30) ; DNS=6 IP to name lookup (BINARY logic): 1=NetBIOS and Internet reverse DNS, 2=Internet reverse DNS only,
4=firewall configuration (Cisco only) e.g. dns=6 means 2 (Internet reverse DNS) + 4 (firewall configuration)
;DNS=6
; ExcludeConnectionSession Excludes FirePlotter connection session table and utilisation graph
Deafult true [Data]
; FPRDataLocation= Set path for FPR data storage. The path must exist.
; FPRMaxFileCount= Set number of FirePlotter Record files to keep on a rolling rotation
; Default is 250 and maximum value is 20000 (20,000)
; Set FPRMaxFileCount=0 to keep all date - be aware, can use an enormous amount of disk space! ;FPRDataLocation=c:\Temp\RecordedData
;FPRMaxFileCount=250 [Ports] ; <port no>=<text> Association of text to destination port numbers 8=Ping Req (8),Ping
20=FTP Data (20),File Transfer (FTP)
21=FTP Cmd (21),File Transfer (FTP)
22=SSH (22)
23=Telnet (23),Telnet
25=SMTP (25),Email (SMTP)
42=WINS (42)
53=DNS (53),Domain Name Service (DNS)
57=Terminal (57)
67=DHCP (67)
69=TFTP (69)
80=HTTP (80),Web Browsing (HTTP)
88=Kerberos (88)
110=POP3 (110),Email (POP3)
111=SunRPC (111)
119=NNTP (119)
123=NTP (123)
135=MS-RPC (135)
137=NB-NS (137)
138=NB-DGM (138)
139=NB-SSN (139)
143=IMAP (143)
158=PCMail Srv (158)
161=SNMP (161),Network Management (SNMP)
162=SNMPTrap (162)
397=MPTN (397)
389=LDAP (389)
443=HTTPS (443),Secure Web Browsing (HTTPS)
445=MS-DS (445)
449=ASSrvMap (449)
465=SMTPS (465)
500=ISAKMP (500)
514=SysLog (514)
554=RTSP (554)
563=NNTPS (563)
636=LDAPs (636)
691=ExchRout (691)
740=NETCP (740)
873=Rsync (873)
989=FTPS Data (989)
990=FTPS Cmd (990)
993=IMAPS (993)
995=POP3S (995)
1023=Reserved (1023)
1100=Double-Take (1100)
1433=SQL (1433)
1494=ICA (1494)
1604=ICABrowser (1604)
1723=PPTP (1723)
1800=ANSYS-LM (1800)
1812=RADIUS (1812)
1863=MSNP (1863)
1935=Flash CS (1935)
2049=NFS (2049)
3052=APC (3052)
3389=RDP (3389),Remote Desktop (RDP)
4500=IPSec NAT-T (4500)
4899=RAdmin (4899)
5190=AOL (5190)
5566=IP Phone (5566)
6002=x11 (6002)
6129=Dameware (6129)
6130=Dameware (6130)
8080=HTTP Alt (8080)
8194=Bloomberg (8194)
8888=FDN (8888) [Protocols] ; <protocol no>=<text> Association of text to IP protocol numbers 1=ICMP (1)
2=IGMP (2)
6=TCP (6)
17=UDP (17)
47=GRE/PPTP (47)
50=ESP (50)
89=OSPF (89) [Colours] ; <port>,<IP protocol>=<colour name> see www.fireplotter.com/doc/FirePlotterColours.htm
; Coloured protocol list below is used when BasicViewMode=true (default) 0,0=Cyan
8,1=LightSalmon
21,6=Burlywood
25,6=Tomato
53,17=LightSkyBlue
80,6=SpringGreen
110,6=LightPink
443,6=Gold
3389,6=yellowgreen FirePlotter Licensing Once FirePlotter is running, to see your current licensing status for FirePlotter, go to the Menu Bar and select "Help", "About FirePlotter" to see a screen similar to the following: FirePlotter can be downloaded and used right away, without any licensing being applied, in "Watch only" mode with the powerful Summary, Sort, Filter Advanced View Mode, Zoom and Replay features disabled. "Watch only" mode does provide an excellent overview of your firewalls sessions and bandwidth usage in real-time. We do recommend that you request a 14-day license so you can experience FirePlotter with Summary, Sort, Filter, Zoom and Replay features enabled. See Free vs. Licensed Mode Comparison Chart for more information Concurrent Usage A purchased License includes a concurrent usage count which limits the total number of copies of FirePlotter allowed to be installed within an organisation.
Example: one concurrent licensed copy means only one machine can have FirePlotter installed. To see the FirePlotter End User License Agreement (EULA) - please click here FirePlotter Licensing Classes FirePlotter Class 1 license for SMB Firewall - 1 Year
With this FirePlotter license (Class 1) a single user can connect FirePlotter to any single Cisco PIX 501, 506E, or ASA 5505 or FortiGate 50 through to 100A models.
FirePlotter Class 2 license for Enterprise Firewall - 1 Year
With this FirePlotter license (includes Class 1 & 2) a single user can connect FirePlotter to any single Class 1 firewall, or any single Cisco PIX 515/515E/520, or ASA 5510/5520 or FortiGate 110C through to 400A models.
FirePlotter Class 3 license for High End Firewall - 1 Year
With this FirePlotter license (includes Class 1, 2 & 3) a single user can connect FirePlotter to any single Class 1 & 2 firewall or to any single Cisco PIX 525/525E, 535 or ASA 5530/40/50, FWSM or FortiGate 500 models upwards. For information on how to view your current FirePlotter license class - see FirePlotter Licensing See Buy FirePlotter for pricing. Troubleshooting TCP/IP Connection to host <IP address> failed (Check IP address and Telnet enabled) - Error Message?
Username/Password Error - Error Message?
Why are options disabled or greyed out?
How can I assign host names to IP addresses?
DNS or NetBIOS names not resolving?
What commands does FirePlotter send to my firewall?
Why does FirePlotter cause my ASA/PIX firewall to run at 99% CPU utilization?
Why does FirePlotter generate queries to outside hosts on UDP port 137?
Suspicious traffic from a device/PC?
Installing Telnet in Windows Vista?
What permanent files does FirePlotter install and use and where are they?
Why can I not see connections "to" my Cisco Firewall e.g. my SSH or VPN sessions?
FirePlotter does not show any inbound stats on my Cisco Firewall?
FirePlotter does not show any data from my FortiGate Firewall?
How do I reset FirePlotter windows size and position?
How do I use FirePlotter to find out who or what is using my bandwidth?
How do I use FirePlotter to detect which PCs are infected by the Conficker virus?
Does FirePlotter work on an Apple Mac?
Can I filter FortiGate firewall sessions before they are sent to FirePlotter?
What can I do if I get Unexpected Cisco User Prompt warning message?
What can I do if I get a SSH Login Error in my FortiGate Event Log?
FirePlotter Error Messages
FirePlotter Other Messages
Which Cisco ASA/PIX models are supported by FirePlotter?
Which FortiNet FortiGate models are supported by FirePlotter?
Further Help TCP/IP Connection to host <IP address> failed (Check IP address and Telnet enabled) - Error Message If FirePlotter cannot make a connection to your firewall once the Connect button has been pushed, then this error is displayed:
 To test the telnet connection, open an MS-DOS box (Start, Run, and type cmd [Enter]) and in the MS-DOS windows type "telnet x.x.x.x" where is the IP address of the interface you activated ping and telnet on and press enter. You will then be prompted for login. Enter admin credentials to confirm that they work. If you are running Microsoft Vista and do not have telnet installed see Installing Telnet in Windows Vista . If they do, then you are now ready to use FirePlotter. If not then see Setting Up Your Cisco ASA/PIX Firewall for FirePlotter or Setting Up Your FortiNet FortiGate Firewall for FirePlotter. Username/Password Error - Error Message? If FirePlotter is not provided with correct login credentials for then this error message will be displayed. Check you have typed the correct telnet login (and for Cisco "enable") credentials. Also check Caps Lock is not active on your keyboard! If necessary use telnet to test the login credentials by opening an MS-DOS box (Start, Run, and type cmd [Enter]) and in the MS-DOS windows type "telnet x.x.x.x" where is the IP address of the interface you activated ping and telnet on and press enter. You will then be prompted for login. Enter admin credentials to confirm that they work. If you are running Microsoft Vista and do not have telnet installed see Installing Telnet in Windows Vista. Why are options disabled or greyed out? If you do not have a license for FirePlotter then it defaults to Free Mode (Watch Only) which only enables real-time monitoring and disables (amongst other features) the ability to Zoom into session details.
If you haven't already, you can request your FREE 14-day FirePlotter License here: Request 14-Day License to evaluate fully functional FirePlotter. So, for example, the Zoom feature in "Licensed" or "Evaluation" mode means you can drill down into a "..." entry in a session table entry to get more information about which IP addresses are creating sessions. Other features such as Summary Options, Default View, Refresh now, Refresh Interval, Pause, Play, FirePlotter.ini settings, Right Mouse Click and other capabilities are all enabled in "Licensed" or "Evaluation" mode.
See Free vs. Licensed Mode Comparison Chart or FirePlotter Licensing for more information. How can I assign host names to IP addresses? You can edit the C:\Windows\System32\drivers\etc\Hosts file (or equivalent) on the FirePlotter PC to then resolve IP addresses to a names you want to see in FirePlotter, or you can configure your internal DNS server (if you have one) to set the names.
Here is a sample of the Hosts file: # Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost 192.168.1.99 Firewall
192.168.1.10 Email Server
192.168.1.101 Sam Smith
192.168.1.102 Jane Jones
See next section (DNS or NetBIOS names not resolving?) for more information about name resolution. DNS or NetBIOS names not resolving? Wherever possible FirePlotter will resolve IP addresses to Fully Qualified Domain Names (FQDNs) or NetBIOS Names. When an IP address is displayed in brackets e.g. (192.168.1.1) - this indicates that FirePlotter is still attempting to resolve a name to the IP address.
Check your fireplotter.ini file settings:
[Display]
; DNS=6 IP to name lookup (BINARY logic): where 1=NetBIOS and Internet reverse DNS, 2=Internet reverse DNS only, 4=firewall configuration (Cisco only)
e.g. dns=6 means 2 (Internet reverse DNS) + 4 (firewall configuration)
DNS:
Ensure DNS Server are configured and reachable by your FirePlotter PC. In MS-DOS box type "ipconfig /all". Check DNS Servers are set - if not, configure via Network Settings. If set, check DNS Server addresses are ping-able.
NetBIOS:
You can test an individual PC NetBIOS name lookup by using in MS-DOS window the “nbtstat –a x.x.x.x” command on the FirePlotter PC where x.x.x.x is the IP address of the PC you want a name for. Sometimes PCs with firewalls, or multiple IP addresses do not respond to the query.
You could edit your host file on the FirePlotter PC (C:\Windows\System32\drivers\etc\Hosts) to resolve IP addresses to a names you want to set, or you can configure your DNS server to set the names.
Note: When NetBIOS name resolution is turned on, FirePlotter attempts to resolve *ALL* IP addresses this way. This means that NetBIOS (UDP/137) lookups are sent to IP addresses outside of your firewall. We would recommend a firewall policy rule that blocks/denies UDP Port 137 from your internal network to the internet, to prevent these packets going out to the internet. What commands does FirePlotter send to my firewall? FirePlotter typically sends the following commands to a firewall using SSH or telnet to extract the session table data (exact commands and frequency may vary according to software/firmware version):
Cisco ASA/PIX CLI commands from enable prompt: terminal pager 0
show version
show config
show conn all (or sh con all, or show connections all)
FortiNet Fortigate CLI commands from admin login prompt:
config vdom
edit route
get system status
diag sys session ttl
diag sys session list
diag netlink interface list Why does FirePlotter cause my ASA/PIX firewall to run at 99% CPU utilization? If you are running ASA/PIX version 7 then you will need to upgrade to version 7.23 to avoid this problem. There is a bug in ASA/PIX version 7.22 that causes the firewall to run to 99% CPU utilization when a telnet (or SSH) session requests large quantities of data (which it does frequently). More >> Why does FirePlotter generate queries to outside hosts on UDP port 137? FirePlotter performs a rDNS and NetBIOS (UDP/137) lookup of the IP addresses, some of which will be to outside hosts. If the IP addresses are resolvable (nameable) then they are displayed alongside the individual IP address in the Source IP and Destination IP columns of the Session Table. See Session Table Section for more information.
Note: When NetBIOS name resolution is turned on, FirePlotter attempts to resolve ALL IP addresses this way. This means that NetBIOS (UDP/137) lookups are sent to IP addresses outside of your firewall. We would recommend a firewall policy rule that blocks/denies UDP Port 137 from your internal network to the internet. Suspicious traffic from a device/PC? On the PC with the suspicious application, use "netstat -o -a" to find the process ID of the application generating the traffic (check source port), and then use Task Manager to find that Process ID (In Task Manager go to View, select Columns to ensure PID is selected and so displayed). Installing Telnet in Windows Vista?
To install telnet in Windows Vista go to Start, Control Panel, Programs, Program and Features, Turn Windows features on or off (left side of screen), tick Telnet Client and then press OK. What files does FirePlotter install and use and where are they? All the following FirePlotter files (permanent and temporary): These files are installed in the during installation in c:\Program Files\FirePlotter (or chosen location):
FirePlotter.exe [Main application]
License.rtf [End User license agreement]
FirePlotter.lnk [Windows shortcut to FirePlotter website home page]
FirePlotterBuy.lnk [Windows shortcut to FirePlotter website product purchase page]
FirePlotterOnlineHelp.lnk [Windows shortcut to FirePlotter website online help page]
FP-Ping.bat [Batch file for Ping on Right Mouse Click]
FP-Tracert.bat [Btach file for traceroute on Right Mouse Click]
wodSSH.dll [Dynamic Link Library for SSH and Telnet communications]
In C:\Documents and Settings\[UserName]\Application Data\FirePlotter in Windows XP, or in C:\Users\[UserName]\AppData\Roaming\FirePlotter in Windows Vista or Windows 7 or in C:\Documents and Settings\[UserName]\Application Data\FirePlotter in Windows 2003 Server these files are installed:
FirePlotter.ini [Configuration parameters]
FirePlotterDebug.txt [FirePlotter debug file that records FirePlotter's initialisation and operational information]
fireplotter.lic [FirePlotter license file] - note this file must be placed in this directory manually (either a 14-day Evaluation License or a Purchased Annual License).
Log files are created and updated each time FirePlotter is run in this same directory:
Temporary files created as part of FirePlotter's normal operation for Cisco and FortiGate firewalls.
The FirePlotter Process ID is used in the file name to allow multiple concurrent copies of FilePlotter to be running on the same machine if the necessary "Concurrent" license has been purchased.
Cisco:
<ProcessID>PIXVersion.txt System information i.e. Model, serial number etc
<ProcessID>PIXConfig.txt Configuration information
<ProcessID>PIXConnection.txt Session/Connection table
FortiGate:
<ProcessID>UnitSystem.txt System information i.e. Model, serial number etc
<ProcessID>UnitInterface.txt Interface list i.e. what network connections the firewall has
<ProcessID>UnitTTL.txt Non default Time-To-Live values
<ProcessID>UnitSession.txt Session/Connection table Also, in this directory the Recorded Data directory is created, under which all folders are created for firewall, date, and hour (e.g. C:\Users\[UserName]\AppData\Roaming\FirePlotter\RecordedData\192.168.68.90 demo-cisco-firewall\09-06-28\18-hour\) that contain all the.fpr files (e.g. 090628-182909.fpr). Why can I not see connections "to" my Cisco Firewall e.g. my SSH or VPN sessions? Cisco does not provide session data about sessions directly connected to Cisco ASA/PIX interfaces. This includes protocols such as: Telnet, SSH, SNMP, ping, IPSEC VPN, ISAKMP, NAT-T and HTTPS. Note that FirePlotter will display the traffic that passes *through* the VPN. FirePlotter does not show any inbound stats on my Cisco Firewall? When FirePlotter gets session data from a Cisco firewall, the displayed statistics are related to the "direction of initiation". So a session that is outbound initiated (inside to out), for example, a session visiting a website, and that session then downloads a file using HTTP, that session download will then be displayed in FirePlotter as outbound HTTP byte counts. The data is displayed in this way as this is how Cisco chooses to provide it. So it follows then that inbound stats will only show if sessions have been initiated from the outside in. FirePlotter does not show any data from my FortiGate Firewall? If FirePlotter has successfully connected and authenticated to a FortiGate firewall, sometimes the credentials that have been used to login do not have sufficient rights to access the session data needed for FirePlotter to work. Note that only the default admin account, or equvalent, has sufficient rights for FirePlotter to operate correctly. How do I reset FirePlotter windows size and position? If run into windows resize problem then using regedit.exe delete: HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-WindowPosition. How do I use FirePlotter to find out who or what is using my bandwidth? See Understanding Zoom In, Active Filters and Summary Filters to easily track down which device all those sessions are coming from! How do I use FirePlotter to detect which PCs are infected by the Conficker virus? See Understanding Zoom In, Active Filters and Summary Filters to help you detect the Conficker virus that uses SMB TCP Port 445 (conflicker). Does FirePlotter work on an Apple Mac? Yes - FirePlotter will work on an iMac running Parallels with Microsoft Vista and XP. We have also had some success with using FirePlotter with Crossover for Mac. Can I filter FortiGate firewall sessions before they are sent to FirePlotter? The answer is "Yes". When FirePlotter is connected to a FortiGate Firewall, then you can use a hidden SessionFilter setting in fireplotter.ini [Connection] section to reduce the number of sessions that FirePlotter receives from the firewall. For example: SessionFilter=diagnose sys session filter src 192.168.1.18 clear (clear session filter)
dport (destination port)
dst (destination ip address)
expire (expire)
negate (inverse filter)
policy (policy id)
proto (protocol number)
sport (source port)
src (source ip address)
vd (index of virtual domain). -1 matches all Note that at this time FirePlotter only can send a single session filter command to the FortiGate. What can I do if I get Unexpected Cisco User Prompt warning message? If FirePlotter is having difficulty connecting or auto-reconnecting to a Cisco firewall, resulting in a fireplotterdebug.txt message "Unexpected Cisco User Prompt" then we recommend increasing the SocketTimeout setting in fireplotter.ini [Connection] from the default 5 seconds to 10 seconds: SocketTimeout=10 What can I do if I get a SSH Login Error in my FortiGate Event Log? If FirePlotter is connecting to a Fortigate firewall running v3.00 Build 731 (MR7 Patch1) then when FirePlotter connects using SSH the FortiGate may generate an SSH login error (Event Log message). This is a bug in the FortiGate firmware that was introduced in v3.00 MR7 Patch1, and is fixed in Build 733 (MR7 Patch2). To fix this error upgrade your FortiGate's firmware.
FirePlotter Error Messages (Help Codes)
Help Code: 0x1011 - Establishment of Connection Error
This error occurs if FirePlotter cannot connect to the firewall or if too many login attempt failures (incorrect credentials) have caused the firewall to refuse connections.
Check you can ping the firewall and that a telnet/SSH connection is available. See Setting Up Your Cisco ASA/PIX Firewall for FirePlotter or Setting Up Your FortiNet FortiGate Firewall for FirePlotter for further help.
Help Code: 0x1021 - FortiGate Telnet Authentication Failure Error
This error occurs if FirePlotter fails to authenticate to a FortiGate Firewall.
Check you are using/typing the correct login credentials. See Setting Up Your FortiNet FortiGate Firewall for FirePlotter for further help.
Help Code: 0x1022 - FortiGate Connection Lost Error
This error occurs if FirePlotter loses connection with a FortiGate firewall it has already successfully connected to.
A documented parameter in FirePlotter.ini file may fix timeout problems on a poor quality connection. The default timeout is 5 seconds. This can be adjusted by adding “SocketTimeout=<timeout>” to the [Connection] section of FirePlotter.ini.
Help Code: 0x1031 - Cisco Connection Lost Error
This error occurs if FirePlotter loses connection with a Cisco firewall it has already successfully connected to.
An undocumented parameter in FirepLotter.ini file may fix timeout problems on a poor quality connection. The default timeout is 200 hundredths of a seconds (2 seconds). This can be adjusted by adding “SocketTimeout=<timeout>” to the [Connection] section of FirePlotter.ini.
Help Code: 0x1032 - Cisco Telnet Authentication Failure Error
This error occurs if FirePlotter fails to authenticate to a Cisco Firewall.
Check you are using/typing the correct login credentials. See Setting Up Your Cisco ASA/PIX Firewall for FirePlotter for further help.
Help Code: 0x1033 - Cisco Enable Authentication Failure Error
This error occurs if FirePlotter fails to switch to 'enable' mode on a Cisco Firewall.
Check you are using/typing the correct 'enable' credentials. See Setting Up Your Cisco ASA/PIX Firewall for FirePlotter for further help.
Help Code: 0x1035 - SSH Authentication Failure Error
This error occurs if FirePlotter fails to authenticate to a Firewall.
Check you are using/typing the correct login credentials. See Setting Up SSH on Your Firewall for FirePlotter for further help. Help Code: 0x1036 - Critical file is missing - program aborted This error occurs if a critical file is missing from the installation. Please re-install FirePlotter remembering to backup your FirePlotter.ini if any user modifications have been made.
FirePlotter Other Messages This version of FirePlotter.EXE has intentionally expired. Please download the latest version from http://www.fireplotter.com/
Each version of the Fireplotter.EXE program is timed to expire 1 year from the date it was created. This way we can ensure users always have the best version of FirePlotter available. If you see this message this does not affect your annual FirePlotter licensing. All you need to is download and install the latest version of FirePlotter from our website. Which Cisco ASA/PIX models are supported by FirePlotter? The following Cisco ASA/PIX models are supported: PIX-501
PIX-506
PIX-506E
PIX-510
PIX-515
PIX-515E
PIX-520
PIX-525
PIX-535
ASA-5505
ASA-5510
ASA-5520
ASA-5530
ASA-5540
ASA-5550
ASA-5560
FWSM Firewall Version 3.1(7)
FWSM Firewall Version 3.1(8) Which FortiNet FortiGate models are supported by FirePlotter? The following FortiNet FortiGate models are supported: FG-30B/FortiGate-30B
FW-30B/FortiWifi-30B
FG-50A/FortiGate-50A
FG-50B/FortiGate-50B
FG-51B/FortiGate-51B
FG-51B-LENC/FortiGate-51B-LENC
FW-50B/FortiWiFi-50B
FG-60/FortiGate-60
FG-60B/FortiGate-60B
FG-60C/FortiGate-60C
FW-60/FortiWifi-60
FW-60A/FortiWiFi-60A
FW-60AM/FortiWiFi-60A
FW-60B/FortiWiFi-60B
FG-80C/FortiGate-80C
FG-80CM/FortiGate-80CM
FW-80CM/FortiWifi-80CM
FG-82C/FortiGate-82C
FG-100/FortiGate-100
FG-100A/FortiGate-100
FG-110C/FortiGate-110C
FG-111C/FortiGate-111C
FG-200/FortiGate-200
FG-200A/FortiGate-200A
FG-200A-HD/FortiGate-200A-HD
FG-200B/FortGate-200B
FG-224B/FortiGate-224B
FG-300/FortiGate-300
FG-300A/FortiGate-300A
FG-300A-HD/FortiGate-300A-HD
FG-310B/FortiGate-310B
FG-310B-DC/FortiGate-310B-DC
FG-311B/FortiGate-311B
FG-400/FortiGate-400
FG-400A/FortiGate-400A
FG-400A-HD/FortiGate-400A-HD
FG-500A/FortiGate-500A
FG-500A-HD/FortiGate-500A-HD
FG-620B/FortiGate-620B
FG-620B-DC/FortiGate-620B-DC
FG-800/FortiGate-800
FG-800F/FortiGate-800F
FG-1000/FortiGate-1000
FG-1000A/FortiGate-1000A
FG-1000A-LENC/FortiGate-1000A-LENC
FG-1000AFA2/FortiGate-1000AFA2
FG-1240B/FortiGate-1240B
FG-3000/FortiGate-3000
FG-3016B/FortiGate-3016B
FG-3600/FortiGate-3600
FG-3600LX2/FortiGate-3600LX2
FG-3600LX4/FortiGate-3600LX4
FG-3600A/FortiGate-3600A
FG-3810A-E4/FortiGate-3810A-E4
FG-5001/FortiGate-5001
FG-5001FA2/FortiGate-5001FA2
FG-5002FA2/FortiGate-5002FA2
FG-5002FBb2/FortiGate-5002FB2
FG-5005FA2/FortiGate-5005FA2 Further Help If you have a support question that has not been answered by this document then please send us a FirePlotter Support Request To assist in resolving any technical issues, please include the following information in your email*: 1) A description of the problem, if possible including screenshot of problem. 2) The PC Operating System (Vista, XP, 2003, W2K etc) you are running? 3) Make, Model and Firmware/OS Version of firewall? 4) The version of FirePlotter you are running? (in Help, About) 5) Are your using SSH or Telnet? 6) Are you able to successfully login to your firewall using a SSH or Telnet client? 7) When you test FirePlotter on a different PC, do you experience the same problem? 8) Is FirePlotter local to the firewall or being used over a remote link/VPN? 9) Detailed logging data for the problem. Please edit your C:\Program Files\FirePlotter\FirePlotter.ini file, and in the [Connections] section add the line "LogLevel=255" and save the file. Then re-create the problem, press Pause between a refresh cycles and then please attach to your email to us a (zipped) copy of all the *.txt files in the FirePlotter data folder*. Please note LogLevel=255 significantly reduces FirePlotter performance, so we recommend the line is removed once the technical issue is resolved. 10) What is a typical number of sessions that pass through the firewall? *Any confidential information (e.g. IP addresses) use Search & Replace to change to X. If you have an upgrade question that has not been answered by this document then please send us a FirePlotter Support Request with the Subject header starting with UPGRADE:
If you have an enhancement request that is not been identified in our FirePlotter Roadmap, then please send us a FirePlotter Support Request with the subject header starting with ROADMAP: If you want to recommend a number of enhancements you would like to see - then please prioritise your list so we will know which is most important to you.
|
