Online Help

How to Quick Search Online Help


Quick Start Guide
Demonstration/Training Video (Recommended!)
Upgrades
Troubleshooting


Cisco
Setting Up Your Cisco ASA Firewall for FirePlotter
Enable Options for Cisco ASA Firewall for FirePlotter
Understanding FirePlotter and Cisco ASA Firewall (Recommended!)


FortiNet
Setting Up Your FortiNet FortiGate Firewall for FirePlotter


FirePlotter Controls & Views
Menu Bar
File=>Open Recorded Data
FirePlotter Replay (Recommended!)
FirePlotter Replay and Multiple Users (Recommended!)
File=>Export Session Table
File=>Open fireplotter.ini
FirePlotter.ini
File=>Open fireplotterdebug.txt


File=>Global Settings
File=>Global Settings=>Default Profile
File=>Global Settings=>Address Resolution
File=>Global Settings=>Recording
Managing Disk Space
File=>Global Settings=>Cisco Direct Connection
File=>Global Settings=>Monitoring Connection
File=>Global Settings=>Do Not Show Message
File=>Global Settings=>Check for Updates
File=>Global Settings=>FortiGate Settings
File=>Global Settings=>Export
File=>Global Settings=>Cumulative Totals
File=>Global Settings=>Email Notification
File=>Global Settings=>Graph Scale
File=>Global Settings=>Startup Passsword

View Modes: Basic & Advanced and Trace Line (Recommended!)
View=>Mode=>Basic
View=>Mode=>Advanced
Understanding Zoom In, Active Filters and Summary Filters
How to "find" an IP address in FirePlotter


Connection Bar
Managing Connection Profiles (Recommended!)
Connections=>Connection Profile Editor
Download Filters (Recommended!)


Session Table Control Bar
Managing Session Filter Profiles
Filters=>Session Filter Profile Editor
Filters=>Edit Active Filter


Managing Alert Profiles (Recommended!)
Alerts=>Alert Profile Editor


Session Table Section
Focus Control Bar
Graphical Bandwidth Plotting Section
Status Bar


Licensing
Free Mode vs. Licensed Mode
FirePlotter Licensing Renewals
Concurrent Usage
FirePlotter Licensing Classes
FirePlotter Licensing Rules
Installing FirePlotter License File


Moving FirePlotter to Another PC
Error Messages (Help Codes)
FirePlotter Hidden Registry Settings


*Note - Screenshots used in some examples and videos may vary slightly from currently released version.



FirePlotter Demonstration/Training Videos

Click on the links below to watch either the all of the "Instant" or "Full" FirePlotter Demonstration/Training Videos

BlobYou can also click directly on an individual specific subject of your choice (1-6). We recommend all of them!

 Instant FirePlotter Demonstration    Instant FirePlotter Demonstration (Flash not required!)
Full FirePlotter Demonstration/Training Video  

These same videos also available on YouTube (in HD):

1) Introduction to FirePlotter
2) Connect and Record
3) Basic And Advanced View Modes and Trace Line
4) Zoom and Filters
5) Replay
6) Right Mouse Click
  1) Introduction to FirePlotter
2) Connect and Record
3) Basic And Advanced View Modes and Trace Line
4) Zoom and Filters
5) Replay
6) Right Mouse Click



Tip - How to Quick Search this Help Page

Did you know that in any web page (on all websites) you can press and hold down [CTRL-F] at any time and a Find Window like this will open?



You can use [CTRL-F] to search this Online Help page. Simply press [CTRL-F] and then type in the text you are searching for. Use the Previous and Next buttons to move through the page. Press the red X in top right of the Find Windows to close it.



Quick Start Guide

FirePlotter is easy to get going and use.

You can view Introduction to FirePlotter and Connect and Record videos to learn more.

FirePlotter supports Microsoft Windows 10/8.1/8/7 platforms. FirePlotter also works on Microsoft Windows Server 2003/2008/2012/2016 as a single user (multiple user accounts are not officially supported).

FirePlotter does not run as a "service".

FirePlotter supports all Cisco ASA Firewalls (v6.x, v7.23 (more >>) and 8.x and above) and FortiNet FortiGate Firewalls (v2.8, v3.0, v4.0 and v5.0)

FirePlotter uses a SSH (secure shell) or telnet session to the firewall to get the firewall's real-time session information. So all you need to do to get FirePlotter working is make sure you can connect and login to the firewall using SSH or telnet with full administrator rights. For a Cisco firewall this means you must know the enable password. If you need to know more on how to do this then see the "Setting Up" sections (Cisco/FortiNet) below.

FirePlotter quickly answers questions like "Who is using my bandwidth?", "What is using my bandwidth?", Who is eating my bandwidth?" or "What is eating my bandwidth?".

The first time FirePlotter is run you will see this warning message:

FirePlotter Free Mode (Watch only) active as no valid license found! Please click here to request a 14-day FirePlotter evaluation license. Click here to purchase a 1-year FirePlotter full license. Click "Continue" to launch FirePlotter in Free Mode (Watch only). Use Help -> Licence Manager to Add a new license.

If you have not already downloaded a 14-day evaluation license or purchased a license then go to www.fireplotter.com/Eval.htm to do so. Then when you have received your license file via email you can click on "Continue".

Activate your license by going to the License Manager:

Then add in your license file using the License Manager Add Button:

Then close the License Manager and Exit and then reload FirePlotter.

To connect FirePlotter using "Quick Connect" all you need is:

  • The IP address of the Cisco or FortiNet firewall
  • To be able to login to the firewall using SSH or Telnet protocol
  • Working SSH or telnet login credentials with admin/enable rights*

*for FortiNet this must be the "admin" username (or a user with Maintenance RW, Network Configuration and Data Access RO Access Control) and for Cisco firewalls you must be able to login all the way to the enable prompt.

Tip - Please note we generally recommend using SSH rather than telnet to connect FirePlotter to your firewall. This is because SSH provides a secure encrypted connection, this means that your firewall session data that is transmitted between the firewall and FirePlotter is not able to be sniffed/hacked. Also, if you are connecting to a Cisco ASA, then SSH is better optimised for performance on these platforms than telnet.

Enter this data into FirePlotter fields as in the screenshot below and press Connect and you are away into the wonderful world of finally seeing what is really happening on your internet connection(s)!

Here you can select Cisco ASA or FortiNet FortiGate firewall type

As soon as you are connected to your firewall, FirePlotter starts recording the data saved in the FirePlotter Recorded Data folder, accessible (and re-playable) from the File, Open Recorded Data menu option. See FirePlotter Replay for more info.

FirePlotter will also ask if you would like to save the connection settings you have entered in a Connection Profile. See Managing Connection Profiles.

After a few minutes, FirePlotter will also give you an indication of how much disk space FirePlotter's .fpr files will be using if run over long time periods (24 hours). When you exit FirePlotter, you will be given the option of deleting recorded data. See Managing Disk Space.

When you are ready to explore further we recommend you go to FirePlotter Controls & Views.



Upgrades

If you are upgrading your version of FirePlotter, you can install the new version over the previous version.

FirePlotter licenses already installed are maintained during the upgrade. Licenses do not need to be re-installed.

The FirePlotter settings are stored in the registry and so are retained during the upgrade process, except those settings in fireplotter.ini.

C:Users[User]AppDataRoamingfireplotter.ini settings are not maintained through upgrades, so if you have previously changed fireplotter.ini settings (Connection Settings, Destination Port/Service Naming, Protocol Naming, Color Settings), then we recommend you take a backup of your fireplotter.ini before upgrading and restore the backup file once the upgrade is complete.



Cisco

Also see: Understanding FirePlotter and Cisco ASA Firewall

Setting Up Your Cisco ASA Firewall for FirePlotter

We always recommend that the SSH protocol is used to connect FirePlotter to your ASA (rather than telnet protocol).

We have found that telnet can experience occasional data corruption that can create a problem for FirePlotter. In the event that FirePlotter experiences any problems working with your firewall, then we will always ask you to switch to SSH to see if that resolves the issue.

Also, because SSH protocol is an encrypted communication protocol, it is inherently more secure than open-text telnet.

Note - FirePlotter does not support Cisco Routers (IOS) - FirePlotter only supports Cisco ASA firewalls.


For SSH connections:

If you wish to allow FirePlotter to make a SSH connection to a Cisco ASA you need to configure your ASA for SecureShell (SSH) connections.

More information on configuring SSH on a Cisco Firewall click see:

Configuring PIX 6.x to Accept SSH Connections
Configuring ASA 7.x and above to Accept SSH Connections

More information on configuring SSH on a Cisco Firewall is available here from Cisco:
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/s8.html#wp1375161

Once SSH is configured on your Cisco ASA you can test SSH from the PC you are using for FirePlotter. To test the ssh connection, run a copy of PuTTY (PuTTY can be downloaded at www.chiark.greenend.org.uk/~sgtatham/putty/download.html ) and use it to test the SSH connection.


For Telnet connections:

If you wish to allow FirePlotter to telnet to a Cisco ASA, you need to configure which hosts are allowed in. To allow a single host to telnet in via the inside interface:

telnet 10.1.1.100 255.255.255.255 inside

To allow any PC on subnet 10.1.1.0 /24 to telnet in via the inside interface:

telnet 10.1.1.0 255.255.255.0 inside

More information on configuring telnet on a Cisco Firewall is available here from Cisco:
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/t.html#wp1483242


Once SSH or telnet is configured you can test SSH or telnet from the PC you are using for FirePlotter.
To test the ssh connection, run a copy of PuTTY (PuTTY can be downloaded at www.chiark.greenend.org.uk/~sgtatham/putty/download.html ) and use it to test the SSH connection.

Note: you will need to enter SSH/Telnet Username, SSH/Telnet Password, you may need to enter into FirePlotter Enable Username, and you will need to enter the Enable Password, - depending upon how your Cisco Firewall is configured. If during Telnet testing you are not prompted for Enable Username then leave the FirePlotter Enable Username field blank.

Note: if you are connecting FirePlotter to a Cisco ASA firewall via a VPN, you will need to have the "management-access outside" command set, in order for you to access the internal interface telnet IP address from the outside.


Note:
if you are using Cisco FWSM (Firewall Service Module) in a Cisco Switch (in this example a Cisco 6513), then here are some tips on how to set-up telnet access. These tips assume you have access to the switch console port and login/enable credentials:

1) Ensure config tells Cisco 6513 switch which vlans to allocate to the fwsm via switch console port using show config :

firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
firewall vlan-group 1 5,50-52,110,120,130,140,150,210,220,330,340,350

2) Issue commands to get into fwsm console configured as above:

Cisco IOS software
Router# session slot 7 processor 1
Catalyst operating system software
Console> (enable) session 7

then login

3) Check/Use commands associated with the fwsm:

firewall transparent
nameif vlan5 outside security 0
nameif vlan50 inside security 100

as you can see the same as ASA except using the vlans allocated from the switch

ip address allocated to this context for management or traffic initiated from the context e.g. logs(FWSM calls the Virtual firewalls 'contexts'):

ip address 10.1.1.250 255.255.255.0 standby 10.1.1.2 (there may not be a standby if you only have one fwsm)

4) Setup telnet access to the inside interface (to edit fwsm config use Conf t to edit & CTRL-Z to exit & wr mem to Save):

telnet 10.1.1.0 255.255.255.0 inside

5) Assuming coming from VLAN 50, Telnet to 10.1.1.250 and login!

Note: FirePlotter is a powerful real-time tool that can be used to augment Netflow analysis products.



Enable Options for Cisco ASA Firewalls

FirePlotter requires enable mode in order to get the session data from the Cisco ASA via SSH or Telnet. The default enable level is 15, which provides full "admin" access (in simple terms, read/write). Some users of FirePlotter may wish to set the enable to "monitor only" (read only).

The following ASA configuration commands are an example of what is required to create an "privilege 7 user account" and to enable FirePlotter to get the data it requires:

aaa authentication ssh console LOCAL
enable password [password] level 7
username test password [password] privilege 7
privilege show level 7 mode exec command running-config
privilege show level 7 mode exec command conn
privilege cmd level 7 mode exec command terminal

In earlier versions of IOS, some users of FirePlotter may wish to set the enable to "monitor only" (read only), using "enable 7". There is a feature in FirePlotter to handle 'enable <x>' for Cisco ASA, where <x> is 1-15. <x> is included after a <space> in the SSH Login name. If <space><x> is included in the SSH Login name then 'enable <x>' is sent to the Cisco host when FirePlotter connects. Later versions of IOS do not require this feature.

Here you can select Cisco ASA or FortiNet FortiGate firewall type

Some users may need FirePlotter to use the Cisco 'login' command to used instead of the default 'enable'. This is required for FirePlotter to successfully login to Cisco firewalls that are using 'login' instead of 'enable'. There is a hidden setting associated with Connection Profile and is added through Registry (regedit.exe) using String Value (REG_SZ) CiscoEnableToString=login at (HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-Profiles\[Connection Profile Name]).

Here is where you can set FP_CiscoEnableToString title=

 

For more details on setting up SSH and required encryption keys, see: Setting Up Your Cisco ASA Firewall for FirePlotter



Understanding FirePlotter and Cisco ASA Firewalls - Differentiating Inbound vs. Outbound Traffic

When FirePlotter gets session data from a Cisco firewall (using "show connections" command), the displayed statistics are related to the "direction of initiation". So let us consider a session that is outbound initiated (inside to out), for example a session visiting a website. That session then downloads a file using HTTP. That sessions download will then be displayed in FirePlotter as outbound HTTP byte counts. The data is displayed in this way because this is how Cisco chooses to provide it in "show connections". So this means any Outbound session displayed in FirePlotter's session table could be uploading or downloading. The same principle applies for Inbound sessions.

In other words: FirePlotter will show the sum of the egressing request and ingressing response and this data will be shown in Outbound traffic, if the session was initiated from the inside of the firewall, and it will show under Inbound when it was initiated from the outside of the firewall.



FortiNet

Setting Up Your FortiNet FortiGate Firewall for FirePlotter

Configuring your FortiNet Firewall to talk to FirePlotter is very easy.

Note: Since FortiOS v5.4 it is a "feature" of FortiNet FortiGate firewalls that only a user with Access Control set to readwrite for all Access Control categories will provide session table information that FirePlotter needs. i.e. an account with full admin rights. Remember though, you can create a password for FirePlotter itself - see File=>Global Settings=>Startup Passsword

Previous to verison 5.4 you could create a special administration account as follows: In the FortiGate v5.2 in System, Admin, create a new Admin Profile with Access Control set to: "Maintenance" as "Read-Write" , "Network" "Read-Only", Log & Report, Configuration" as Read Only (all others set to None). That Admin Profile is then applied to a new Administrator with login credentials you would like for FirePlotter.

If you are using VDOMs with FirePlotter, and want to use FirePlotter with a single VDOM, then create adminsitrator accounts that are only looking at a the single VDOM, and login FirePlotter with those credentials.

FortiNet VDOM login



For SSH connections:

To setup the FortiGate for SSH, using the web GUI login to your FortiGate with admin credentials, then go to System, Network and Edit the interface then select the SSH and ping tick boxes and click OK. Make a note of the IP address of the interface.

Once SSH is configured on your FortiGate you can test SSH from the PC you are using for FirePlotter. To test the ssh connection, run a copy of PuTTY (PuTTY can be downloaded at www.chiark.greenend.org.uk/~sgtatham/putty/download.html ) and use it to test the SSH connection.



For Telnet connections:

To setup the FortiGate for telnet, using the web GUI login to your FortiGate with admin credentials, then go to System, Network and Edit the interface then select the telnet and ping tick boxes and click OK. Make a note of the IP address of the internal interface.

Note: FirePlotter usually will be used to talk to the Internal interface of your firewall, but it can be any interface, although if it is internet facing interface you may not want to activate telnet for security reasons.

Once Telnet is configured on your FortiGate you can test Telnet from the PC you are using for FirePlotter. To test the telnet connection, run a copy of PuTTY (PuTTY can be downloaded at www.chiark.greenend.org.uk/~sgtatham/putty/download.html ) and use it to test the telnet connection.

If your login works, then you are now ready to use FirePlotter.



FirePlotter Controls & Views

This section of help works sequentially through each and every feature of FirePlotter - if you simply want to quickly understand FirePlotter's basic operation then we recommend watching Basic and Advanced View Modes and Trace Line video (4 minutes) or jumping to the View Modes: Basic & Advanced and Trace Line section for more information.

The FirePlotter windows can be divided into 7 sections: Menu Bar, Connection Bar, Session Table Control Bar, Session Tables Section, Focus Control Section, Graphical Bandwidth Plotting Section and Status Bar:

Control Bar Section and Status Bar

Menu Bar

The File Menu provides options to "Open Recorded Data", "Export Session Table", "Open fireplotter.ini" and "Open FirePlotterDebug.txt", "Global Settings" and the "Exit" the application.

File=>Open Recorded Data

"Open Recorded Data" option lets you open and replay previously recorded data - see next section for "Click on Graph" and "File Open Recorded Data" Methods of replaying data.

FirePlotter Replay

For more information see 4 minute Replay training video.

FirePlotter records all the data it collects and has the capability to reload a session table snapshot or replay session data that was seen over a period of time. There are two ways to do this: Click on Graph or Open Recorded Data.

Click on Graph Method

First we can click on the graph at a time period we want to review. So for example in this screen shot we can see a peak which we have clicked on and FirePlotter is asking if we want to reload this data:

If we click OK, we then see FirePlotter loads the session table from that moment. Notice the Focus Time is now the time we selected on the graph, also FirePlotter has been Paused (so the Play button is now available) and we can see in that Secure web Browsing line that In Bytes/Sec is higher than everything else:

Now if we double click on the words "Secure Web Brow..." in the Service/Dest Port column we can "Zoom" in on the data and can see specifically which session was creating that peak:

If we wish, we can now click on the "Play" button to let FirePlotter catch back up it's focus time to real time

File Open Recorded Data Method

To access FirePlotter's recorded data further back in time than the data plotted on the graph, we can go the Menu option, File, Open Recorded Data and then select Firewall, Date, Hour and then select .fpr file we want to load. FirePlotter will then load that session and start playback with a 2 second interval between each snapshot played. At any point you can click on the "Pause" to study using Zoom and Summarize features of FirePlotter. And of course you can click on graph to review again if needed.

Note that FirePlotter can record huge quantities of data when recording your firewall - see File=>Global Settings=>Recording



FirePlotter Replay and Multiple Users

Do you want multiple users to access FirePlotter data in real-time? Or, do you have so many firewall sessions that FirePlotter's foreground and background processes are too demanding (too slow) - so you want to speed things up? The way to do this is to have a single copy of FirePlotter running on a server "recording" only. This copy of FirePlotter will be in a user session that is permanently logged into Windows platform, as FirePlotter does not run as "service". That copy of FirePlotter is connected to a firewall and recording data - but has it's Pause button pressed - so the application can be dedicating all its processing to creating .fpr (session data) files only - and not using any processing power to display the data too.

Then through Windows OS we can network share the folder FirePlotter is writing the recorded data to (typically C:\Users\[User]\AppData\Roaming\FirePlotter\RecordedData folder). Then a single, or multiple users, on different PCs can point to the shared folder and then use FirePlotter's File, Open Recorded Data to replay the data that is currently being recorded - in real-time with FirePlotter just "viewing". For those firewalls with larger number of sessions, FirePlotter's "viewing" processing will be faster as there is no background recording/processing running.

For this solution to monitor one firewall accessible by two users, we would need three FirePlotter licenses - one for the server, and one for each user's PC. Contact us for help with pricing if you need multiple licenses to help with speed issues.

What about monitoring more than one firewall using this method?

Because FirePlotter licensing allows multiple copies of FirePlotter to be run on a single PC, if we had two firewalls to monitor this could be achieved by running two copies of FirePlotter simultaneously on the server, each pointed and recording a specific firewall. Then, if the data folder is again shared - 2 users could still access the data for both firewalls by each running two copies of FirePlotter simultaneously and using File, Open Recorded data to monitor each of the firewalls data.



File=>Export Session Table

"Export Session Table" option enables the current session table view to be exported as a .csv file.

Tip - FirePlotter will export exactly what is displayed in the Session Filter Table, so if you want a full export of all the sessions passing through the firewall, then you need to set "Summarise Table By" to be "No Summary" and "View Mode" to be "Advanced", and then use File=>Export Session Table.

When you click on File=>Export Session Table, FirePlotter pauses playback (pausing session table updating and graph updating, but recording continues in the background). FirePlotter then opens a window for you to select file location and filename to export .csv output of current paused session table view. When you click on "Save" - FirePlotter will then save the file and resume FirePlotter playback and also open the file location you saved to. The default filename is FirePlotterExportTable.csv.

See File=>Global Settings=>Export for other export options.




File=>Open fireplotter.ini

"Opens fireplotter.ini" opens the firepotter.ini file - see below for more information)

FirePlotter.ini

The fireplotter.ini file can be edited via the Menu Bar option: "File", "Open fireplotter.ini". FirePlotter is installed by default in C:Users[UserName]AppDataRoamingFirePlotter in Windows 7 or Windows Vista or in C:Documents and Settings[UserName]Application DataFirePlotter in Windows 2003/2008 Server or in C:Documents and Settings[UserName]Application DataFirePlotter in Windows XP.

The [Connection] section can be used to enable advanced logging that is written to the fireplotterdebug.txt file. See File=>Open fireplotterdebug.txt. Advanced logging is activated by removing the ";" from the line ;LogLevel=255 - so it becomes LogLevel=255 and saving the fireplotter.ini file and then restarting FirePlotter.

By editing the fireplotter.ini file we can also customise the text that FirePlotter displays in the Service/Destination Port column by modifying or adding to the [Ports] Section. The [Ports] section is limited to a maximum of 4000 characters.

In the [Protocols] section there is the opportunity to do the same for the IP Protocol column.

In the [Colours] section we can customise FirePlotter to display colours of your choice for the Service/Destination Port. The choice of colours are displayed both in the session list and the graphs.

Colour choices are to be found here: www.fireplotter.com/doc/FirePlotterColours.htm

Default fireplotter.ini file:

; FirePlotter.ini
; Documented for version 2.23

; ***** Please note:
; * Subsequent FirePlotter upgrades may overwrite this INI file so maintain regular backups
; * FirePlotter must be restarted for changes to INI to be used
; * These parameters are only used with a licensed copy of FirePlotter

[Connection]
;LogLevel=255 ; Used to provide additional debug information in FirePlotterDebug.txt

[Ports]

; <port no>=<text> Association of text to destination port numbers

8=Ping Req (8),Ping
20=FTP Data (20),File Transfer (FTP)
21=FTP Cmd (21),File Transfer (FTP)
22=SSH (22)
23=Telnet (23),Telnet
25=SMTP (25),Email (SMTP)
42=WINS (42)
53=DNS (53),Domain Name Service (DNS)
57=Terminal (57)
67=DHCP (67)
69=TFTP (69)
80=HTTP (80),Web Browsing (HTTP)
88=Kerberos (88)
110=POP3 (110),Email (POP3)
111=SunRPC (111)
119=NNTP (119)
123=NTP (123)
135=MS-RPC (135)
137=NB-NS (137)
138=NB-DGM (138)
139=NB-SSN (139)
143=IMAP (143)
158=PCMail Srv (158)
161=SNMP (161),Network Management (SNMP)
162=SNMPTrap (162)
397=MPTN (397)
389=LDAP (389)
427=HP Print (427)
443=HTTPS (443),Secure Web Browsing (HTTPS)
445=MS-DS (445)
449=ASSrvMap (449)
465=SMTPS (465)
500=ISAKMP (500)
514=SysLog (514)
515=LPD (515)
554=RTSP (554)
563=NNTPS (563)
636=LDAPs (636)
691=ExchRout (691)
740=NETCP (740)
873=Rsync (873)
989=FTPS Data (989)
990=FTPS Cmd (990)
993=IMAPS (993)
995=POP3S (995)
1023=Reserved (1023)
1100=Double-Take (1100)
1433=SQL (1433)
1494=ICA (1494)
1604=ICABrowser (1604)
1723=PPTP (1723)
1800=ANSYS-LM (1800)
1812=RADIUS (1812)
1863=MSNP (1863)
1935=Flash CS (1935)
2001=Kaspersky (2001)
2049=NFS (2049)
3052=APC (3052)
3389=RDP (3389),Remote Desktop (RDP)
4500=IPSec NAT-T (4500)
4899=RAdmin (4899)
5190=AOL (5190)
5223=Apple Push (5223)
5566=IP Phone (5566)
6002=x11 (6002)
6129=Dameware (6129)
6130=Dameware (6130)
8080=HTTP Alt (8080)
8194=Bloomberg (8194)
8888=FDN (8888)

[Protocols]

; <protocol no>=<text> Association of text to IP protocol numbers

1=ICMP (1)
2=IGMP (2)
6=TCP (6)
17=UDP (17)
47=GRE/PPTP (47)
50=ESP (50)
89=OSPF (89)

[Colours]

; <port>,<IP protocol>=<colour name> see www.fireplotter.com/Colours.htm
; Coloured protocol list below is used when BasicViewMode=true (default)

0,0=Cyan
8,1=LightSalmon
21,6=Burlywood
25,6=Tomato
53,17=LightSkyBlue
80,6=SpringGreen
110,6=LightPink
443,6=Gold
3389,6=yellowgreen

File=>Open fireplotterdebug.txt

"Open FirePlotterDebug.txt" can be used for debug purposes by FirePlotter Technical Support.

File=>Global Settings



File=>Global Settings=>Default Profile

The "Default Profile" settings enable you to set default Connection Profile that loads when FirePlotter starts (assuming you have already created a profile using Quick Connect or Connection Profile Manager). See Managing Connection Profiles.

The default connection profile will not automatically connect to the firewall unless "Auto-connect" is enabled in the chosen Connection Profile itself (see Connection Profile Manager) You can also select the Session Filter Profile to be loaded when FirePlotter first starts if required.

The default connection profile can also be used to select default Session Filter Profile and default Alert Profile to be loaded when FirePlotter first starts if required. See Managing Session Filter Profiles and Managing Alert Profiles.

File=>Global Settings=>Address Resolution

"Address Resolution" settings tell FirePlotter how to resolve IP addresses to names. Wherever possible FirePlotter will resolve IP addresses to Fully Qualified Domain Names (FQDNs) or NetBIOS Names. When an IP address is displayed in brackets e.g. (192.168.1.1) - this indicates that FirePlotter is still attempting to resolve a name to the IP address.

Reverse DNS:

Ensure DNS Server are configured and reachable by your FirePlotter PC. In MS-DOS box type "ipconfig /all". Check DNS Servers are set - if not, configure via Network Settings. If set, check DNS Server addresses are ping-able.

You can edit the C:\Windows\System32\drivers\etc\Hosts file (or equivalent) on the FirePlotter PC to then resolve IP addresses to a names you want to see in FirePlotter, or you can configure your internal DNS server (if you have one) to set the names.

Here is a sample of the Hosts file:

# Copyright (c) 1993-2012 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

192.168.1.99 Firewall
192.168.1.10 Email Server
192.168.1.101 Sam Smith
192.168.1.102 Jane Jones

NetBIOS:

You can test an individual PC NetBIOS name lookup by using in MS-DOS window the nbtstat -a x.x.x.x command on the FirePlotter PC where x.x.x.x is the IP address of the PC you want a name for. Sometimes PCs with firewalls, or multiple IP addresses do not respond to the query.

Note: When NetBIOS name resolution is turned on, FirePlotter attempts to resolve *ALL* IP addresses this way. This means that NetBIOS (UDP/137) lookups are sent to IP addresses outside of your firewall. We would recommend a firewall policy rule that blocks/denies UDP Port 137 from your internal network to the internet, to prevent these packets going out to the internet.

Cisco:

For Cisco firewalls you can tell FirePlotter to use the host object names that are assigned in the firewall configuration.



File=>Global Settings=>Recording

The "Recording" settings let you set the "Maximum file count". FirePlotter takes a snapshot of the firewall sessions every 5 seconds by default. Each snapshot of data is stored in a file with extension .fpr "Maximum File Count" is the maximum number of .fpr files that FirePlotter will keep before starting to delete the oldest files.

FirePlotter automatically stores the session data it collects in .fpr files (e.g. 090820-104146.fpr) in a file path such as: C:\Users\[User]\AppData\Roaming\FirePlotter\RecordedData[[IP address of Firewall] - [Connection Profile Name]][Date][Time].



Managing Disk Space

Also see: FirePlotter Replay and Multiple Users

The very first time you run FirePlotter, after a few minutes recording you will get the "FirePlotter Recorded Data Max File Count" warning message:

FirePlotter is currently configured to keep the last 250 FirePlotter Record (FPR) files. This figure controled by the 'Maximum file count' in File -> Global Settings -> Recording.

Based on averages from the last few minutes these files will occupy x.xxGB of disk space and provide x minutes of historical data. 'Maximum File Count' should be adjusted to x (xMB) to provide 1 hour of historical data and x (xMB) to provide 24 hours.

More information on these and other options on Managing Disk Space can be found in the Online Help.

FirePlotter's default setting is to keep 250 .fpr files (each file represents a session table snapshot). This startup warning screen tells you how much disk space keeping those rolling 250 files will take up, and how much historical time the files represent. Also, if you want to keep 1 hour or 24 hours of historical data on disk, this screen tells you what value you need to set the Maximum File Count in Global Settings, in order to achieve that. So that value of Maximum File Count sets number of FirePlotter Record (.fpr) files to keep on a rolling rotation. The maximum value is 20000 (20,000). If you set Maximum File Count to be 0, then FirePlotter keeps all data - be aware that setting Maximum Fire Count to 0, can use an enormous amount of disk space!

If you set Maximum File Count to 0, to keep *all* data recorded (i.e. not delete any of it), then we recommend that users of FirePlotter investigate Cyber-Ds Autodelete freeware product that can be used along with Windows Task Scheduler as required. When Maximum File Count is set to 0, when exiting FirePlotter you are not given the option to keep or delete the stored data. If Maximum Fire Count is 1, then .fpr data is not saved, and you are not given the option to keep or delete the stored data when you exit FirePlotter. If Maximum Fire Count > 1, then upon exiting FirePlotter you will be asked if you want to keep or delete the stored data.

The "Recording" settings also include a parameter to set the path for FPR (FirePlotter Recording) data storage. So for example you may want to have FirePlotter save it's FPR files on a non-boot disk (D:, E:, etc). Please note the path must exists (FirePlotter will not create it).

The default locations for FirePlotter to store Recorded Data are for Windows Vista/Windows 7/Server 2008: C:Users[User]TimAppDataRoamingFirePlotterRecordedData and for Windows XP/Windows 2K3 : C:Documents and Settings[User]Application DataFirePlotter.

To help make folders that store recorded data (.fpr files) more easily identifiable the default option is to have FirePlotter use the Connection Profile Name in the recorded data path. e.g. C:Users[User]AppDataRoamingFirePlotterRecordedData[[IP address of Firewall] - [Connection Profile Name]][Date][Time]



File=>Global Settings=>Cisco Direct Connection

The "Cisco Direct Connection" settings for Cisco ASA firewalls lets you select which sessions directly connected to the firewall are displayed in FirePlotter's session tables for Cisco ASA v8.x and above. Prior to v8.0, Cisco firewalls did not provide this information in "show connections" (used by FirePlotter). If your Cisco ASA firewall is running 8.x and above, then you have the option of FirePlotter displaying ESP (IPSEC VPN), Syslog, SSH, telnet, HTTP, HTTPS, Ping and SNMP traffic running to/from the firewall interfaces in its session table. Note that when IPSEC VPNs are connected to a Cisco Firewall, FirePlotter will show the traffic that is running "through" the IPSEC tunnel.

The default is to only monitor ESP (IPSEC) connections.



File=>Global Settings=>Monitoring Connection

The "Monitoring Connection" setting can be used to "hide" FirePlotter's own connection session (SSH or telnet) from the session table itself, provided the connection from FirePlotter to firewall is not NATed (network address translated). The default is to hide the connection.



File=>Global Settings=>Do Not Show Message

The "Do Not Show Message" section of Global Settings provided the option to toggle on and off the appearance of warning messages within FirePlotter.

If you select Telnet as the protocol to connect your firewall - you will get the following warning message about using SSH instead of Telnet:

SSH Protocol is recommended for security stability. If you encounter problems using Telnet, please switch to SSH. Click here to visit the Online Help information on Setting Up Your Cisco or FortiGate Firewall for FirePlotter (SSH and Telnet).

The first time you run FirePlotter this warning message about the effects of Maximum File Count appears:

If you run FirePlotter with Maximum File Count in File -> Global Settings -> Recording set to 0 (keep all data) the following warning message about Disk Space Management appears:

FirePlotter currently has File -> Global Settings -> Recording -> Maximum File Count set to 0, which means that FirePlotter is keeping all recorded data. Please ensure you monitor the disk space usage regularly to prevent 'disk full' problems.

Based on the last 1-2 minutes of recording, FirePlotter will be storing the following amount of data every 24 hours: xGB.

For more information on disk space usage, click here.



File=>Global Settings=>Check for Updates

The "Check for Updates" setting if checked will cause FirePlotter to check to see if there is a later version of FirePlotter available.

If a later version or beta version of FirePlotter is available you would then see a message window similar to this:



File=>Global Settings=>FortiGate Settings

The "FortiGate Settings" screen gives you the option to toggle on a check for Banners on FortiGate Firewalls.

If any of your FortiGate firewalls have an Access Banner message configured - then to ensure the telnet or SSH connection to the firewall works successfully, please tick this option.



File=>Global Settings=>Export

The "Export" screen enables configuration of option for the export of session data in .csv files.

If "Automatic export of data to .csv" is enabled, then for each .fpr file (session table snapshot) saved a duplicate .csv file is also saved containing session data in readable format. If "Delete exported data inline with .fpr files" is set - then if File -> Global Settings -> Recording -> Maximum File Count is set to >1 and you exit FirePlotter, when it asks of you would like to keep the recorded files, if you select "No" - then both .fpr and .csv files will be deleted.

There is also the option to "Open target folder after manual export", which if set, and File -> Export Session Table is used, will cause the folder where the export file has been saved to be opened automatically.



File=>Global Settings=>Cumulative Totals

The "Cumulative Totals" screen: when FirePlotter connects to a firewall, it it picks up the cumulative total of each session that has already been flowing through the firewall and then increments it from the initial value. If the "Reset cumulative totals when FirePlotter starts" option is set, then when FirePlotter connects to a firewall, it resets cumulative total of each session to be zero and starts incrementing them from zero.

Understanding FirePlotter Cumulative Totals:

When a single session passes through a firewall, and is displayed as a one line entry in FirePlotter Session Table, the cumulative total shows the total byte count of that specific session gradually incrementing over time, until the session is ended and finally dropped from the connection table in the firewall - then it disappears from FirePlotter session table (as does it's cumulative total).

If the FirePlotter Session Table is displaying in a single line multiple sessions, then the cumulative total is a combination of all cumulative totals from those sessions.

 

File=>Global Settings=>Email Notification

The "Email Notification" screen: FirePlotter is able to send email alerts when certain pre-configured thresholds have been triggered (see Managing Alert Profiles).

Alert Text: Enter text you would like to see in the subject field of alert email. e.g. "FirePlotter Alert".

Email from: Enter source email address FirePlotter can use. e.g. " This email address is being protected from spambots. You need JavaScript enabled to view it. ".

Email To: Enter email address(es) FirePlotter should send alerts to. e.g. " This email address is being protected from spambots. You need JavaScript enabled to view it. ". Multiple addresses should be separated by a semicolon (;).

SMTP Server: Enter the server DNS name or IP address of your SMTP email server. There is also the option to override the default SMTP port (TCP Port 25), so the setting could be: [server] or [server]:[SMTP port number] or :[SMTP port number]

Test Email Settings: Once you have clicked Apply, you can use this button to send test alert message.

Server Authentication, User & Password: If your SMTP email server requires authentication, then check the box and enter user and password.

 

File=>Global Settings=>Graph Scale

If you wish you can fix the Y Axis scale maximum value for the Graphical Bandwidth plotting (in Kbits/s). A value of 0 will let FirePlotter auto-scale the Y axis.



File=>Global Settings=>Startup Password

If you wish you can password protect FirePlotter by enabling and setting a Startup Password.



The View Menu provides options to select Basic or Advanced View Mode:

View Modes: Basic & Advanced and Trace Line

View=>Mode=>Basic

View=>Mode=>Advanced

See Basic and Advanced View Modes and Trace Line video (4 minutes) for more information.

Basic View Mode lists only the key services (e.g. HTTP, SMTP etc) and Advanced Mode shows all services passing through the firewall in the Session Table. You can switch modes either via the View, Mode menu option, or by Right Mouse Click option when hovering over Session Table.

In the licensed version (or 14-Day evaluation license) of FirePlotter there is the option to switch between Basic and Advanced View Mode. An unlicensed "Watch Only" mode FirePlotter will only run in Basic View Mode.

By default, Basic Mode will only monitor the key Service/Destination Ports listed in the [Ports] section of the fireplotter.ini file (see FirePlotter.ini).

The key Services/Destination Ports monitored in Basic View mode by default are:Ping, File Transfer (FTP), Email (SMTP), Domain Name Service (DNS), Web Browsing (HTTP), Email (POP3), Secure Web Browsing (HTTPS), Remote Desktop (RDP) and the Trace Line.

Note: Total bandwidth is indicated by black line only in graphs (not in session table).

The Trace Line in pale blue in either the Session Table or in the bandwidth graphing shows you any Service/Destination Port traffic that is taking up the most bandwidth, provided it is not one of the key services/Destination Ports monitored. So in the screenshot above we can see clearly see in the Session Table that it is Service/Destination Port 23982 from 192.168.68.14 Outbound that in that snapshot at 16:20:28 that was using most bandwidth, hence that line is coloured in the light blue trace line colour (as Destination Port 23982 has not been set a colour in FirePlotter.ini). The bandwidth usage is also displayed in the Trace Line colour in the Inbound and Outbound Graphs.

The session lines and bandwidth consumed are colour coded in session table and the graphs. If a service/destination port is not configured in fireplotter.ini (Ports] section, then that traffic will not show in FirePlotter Session Table or Graphical Bandwidth Plotting that is running in Basic View Mode, unless it is the Trace Line. So then, the only way to monitor service/destination ports that have not been configured in fireplotter.ini [Ports] section is to switch to Advanced View Mode. Note that the editing of FirePlotter.ini file is only available if you have a 14-Day Evaluation or a purchased License.

The screenshot below is of FirePlotter in Basic View Mode (listing the key Services/Destination Ports mentioned above):

Screenshot below of FirePlotter in Advanced View Mode:



Understanding Zoom In, Active Filters and Summary Filters

See Zoom and Filters video (5 minutes) for more information.

OK, Let's go through the many filtering views that FirePlotter gives you. When you first load FirePlotter it extracts the session table from your firewall and automatically displays the session table in the "Default View" summarising by Service/Destination Port (as indicated at the bottom of the screen) and sorted by the Direction and then In Bytes/s columns. The Default View is a special view only available when FirePlotter first connects or when Default View button is clicked or Default View is selected from Right Mouse Click options when hovering over Session Table. Notice that the Sessions column shows how many SMTP or HTTP sessions are passing through the firewall - something like this:

Understanding Zoom In, Active Filters and Summary Filters

As an aside, notice, that if you click on the word Sessions at the top of the Session column (or any of the column titles) FirePlotter will re-order the session table display in descending value order. Like this:

As an aside, notice, that if you click on the word Sessions at the top of the Session column

Now let's turn off the Summary filter by changing the Summary filter setting at the bottom of the screen. Notice you will now get a long list of all the sessions going through the firewall, one line per session (notice scroll bar on top right), and Summary Filter is set to No Summary (notice the session column again, now 1 session per line) - something like this:

<

Summary filter setting at the bottom of the screen

OK, so now let's switch back to Summary Filter by Destination/Service Port. Now you can see that Sessions are summarised by Service again. Now let's zoom into a particular internal IP address. We know it is internal as we are selecting from an Outbound Sessions, so the source IP will be an internal device. Let's select 192.168.68.14 and double click on that...

Summary Filter by Destination/Service Port

Now because we clicked on 192.168.68.14 with Service/Destination Port of HTTP (Port 80), we now see all HTTP sessions relating to this device. Notice what the active filters are displaying in the Status Bar at the bottom of the screen, and notice that Summary Filter has switched to No Summary.

 Notice what the active filters are displaying in the Status Bar

Once you have taken that in, then we can zoom in to see all the traffic (not just HTTP) that this device is sending through the firewall by double clicking in 192.168.68.14 again (highlighted above) - but this time we are not in a summary mode so now we get:

Once you have taken that in, then we can zoom in to see all the traffic

So to tidy up a bit we could turn on Summary Filter by Service Destination and we would get this, a nice summary of what just this device is doing:

So to tidy up a bit we could turn on Summary Filter by Service Destination

Then we can click on the Default View Button to take us back to the starting point and explore other sessions in a similar manner. It's easy to understand and use the Zoom In mode and to read the Active Filter status and use the Summary Filter. Really Easy!



How to "find" an IP address in FirePlotter

One thing you can do to find an IP address really easily right now is when in Advanced View Mode: From the Default View first press Pause to stop it updating - so you can see the snapshot of all the sessions. Then change the drop down at the bottom left to Summarise By: Source IP. Then click the top of the Source IP address column to re-order the column by IP address in ascending order. You can then scroll down to the address you want, then double click to Zoom in to the specific IP address you want to. Once zoomed in - you might want to re-enable the Summary By Service/Destination Port if there are lots of connections. You can also re-enable Play so you can see in real-time what that IP address is doing.



The Connections Menu provides access to the "Connections Manager":



Connection Bar

Managing Connection Profiles

The first time you use FirePlotter using Connection Profile "Quick Connect" you can select Cisco ASA or FortiNet FortiGate firewall type, Connection Type (SSH), enter the IP address or DNS name (e.g. 192.168.1.1 or firewall.test.com) and SSH login credentials for the firewall to be monitored. Then click on "Connect".

Here you can select Cisco ASA or FortiNet FortiGate firewall type

Once a connection has been established with the firewall, the Connection Manager Profile Editor offers for you to Save the Connection Profile settings you have entered in the Connection Bar:

Once your settings have been saved you have the option to further edit parameters of the created Connection Profile using the Connection Profile Editor by going the Connections -> Connection Profile Editor.



Connection Profile Editor.

Connections=>Connection Profile Editor

Within the Connection Profile Editor you have the option to select the Profile To Manage. You can edit the Profile Name, change the Address of firewall (to be IP address or Fully Qualified Domain Name), select Protocol (SSH or Telnet) and enter non-standard Port if required.

Note - that the profile name, also "names" the folder in the FirePlotter Recorded Data path where the .fpr files of the recorded data will be stored. So for example, the above profile named "ASA Firewall" would create data path: C:\Users\[User]\AppData\Roaming\FirePlotter\RecordedData192.168.68.90 ASA Firewall for its recorded data.

You can also enter SSH/Telnet Username and SSH/Telnet password - Note all passwords are encrypted when stored in windows registry.

Download Filter settings can be used to get FirePlotter to download a subset of the total sessions running through a firewall, which can be very useful if a firewall is passing thousands of sessions - see Download Filters for more information.

The Record Interval sets the time in seconds between FirePlotter retrieving session data from the firewall.

The Auto Connect option, if enabled means that when the profile is selected via the command line option: FirePlotter.exe /Profile:<profile name>, then FirePlotter will connect automatically. If the Auto Connect option is not enabled, then when the profile is selected from the command line, the connection settings will load, but the FirePlotter will ask if you want to connect or cancel.

The Auto Reconnect option, if enabled means that FirePlotter will automatically reconnect to the firewall if the connection is lost, and will keep attempting to reconnect until connection is re-established. After each re-connection attempt, FirePlotter doubles the time to wait for the next attempt.

The External Interface can be used for FortiNet Firewalls only and sets which interface(s) is/are outside, internet facing. Default on Cisco ASA is ethernet0 interface. Default on FortiGate (multiple entries permitted): WAN1, WAN2 and Port1. No setting is possible for Cisco firewalls.

Monitor HA Cluster is only available for FortiNet firewalls, and should be enabled if the FortiNet firewall is in High-Availability mode: Active-Active (load-balancing), then FirePlotter will monitor and record sessions flowing through both units. If the firewall cluster is in High-Availability mode: Active-Passive (fail-over only), then this feature does not need to be enabled as all sessions pass through the primary (active) unit only. Note: the "Monitor HA cluster" feature only supports a maximum of two firewalls in a cluster.

Authentication Token is only available for FortiNet firewalls, and should be enabled if a tokenised authentication is used to login to the firewall.

The Socket Timeout may be increased for slow firewalls, that take a long time for prompts to appear for example.

Session Filter Profile provides the option to automatically load a Session Filter Profile when the connection is established to the firewall - see Session Filters Profile Editor for more information.

Alert Profile provides the option to automatically load an Alert Profile when the connection is established to the firewall - see Alert Profile Editor for more information.



Download Filters

The Download Filter in the Connection Profile Settings can be used to limit the data that is downloaded from the firewall. This is particularly useful for firewalls that have many, many thousands of connections, and remember that you can run multiple copies of FirePlotter that have different download filters set. Also note that if running multiple FirePlotter profiles connected simultaneously to the same firewall, then the profile name should be different for each profile that is connected (to ensure .fpr files are kept separate).

For a Cisco ASA firewall the field can be completed as: address 192.168.68.0 netmask 255.255.255.0 port 25 to only download session data relating to the set filter. The options that can be combined are: address x.x.x.x (source or destination), dest_ip x.x.x.x (range also permitted, 10.1.1.1-10.1.1.5), src_ip x.x.x.x (range also permitted, 10.1.1.1-10.1.1.5), src_port x (range also permitted, 1000-2000), dest_port x (range also permitted, 1000-2000), netmask mask x.x.x.x , port x , protocol {tcp | udp} - these options are from the show connections command. Please note these commands are only supported in ASA 8.x and above. These filter options are set by Cisco (and not FirePlotter). More details on the show conn command here.

For a FortiNet FortiGate firewall the field can be completed as: dia sys session filter dst 193.82.154.9 to only download session data specific to this destination IP. The options are: dport x, dst x.x.x.x (dest ip), duration x, expire x, negate x(inverse filter), policy x (policy id), proto x (protocol number), sport x (source port), src x.x.x.x (source ip) and vd x(index of virtual domain where -1 matches all). These filter options are set by FortiNet (and not FirePlotter). Please note that these commands are only supported in firmware 3.0 MR6 and above. Also note that multiple diag system session filter commands can be added, using | as separator e.g. dia sys session filter dst 193.82.154.9 | dia sys session filter dest_port 25. Also note that since firmware 5.0 there are two additional options: dintf xxxx (destination interface or VLAN), and sintf xxxx (source interface) e.g. dia sys session filter dintf wan1 or dia sys session filter dintf VLAN10.

Click "Save" to save the profile. "Help" button links to this section in the Online Help.



The Filters Menu provides access to the opening the "Session Filter Manager" (see Session Filter Profile Editor) and "Edit Live Filter" (see Edit Active Filter)"



Session Table Control Bar

Managing Session Filter Profiles

In the Session Table Control Bar you can select a Session Filter Profile (see Session Filters Profile Editor), or you can modify the "Summarize Table by" drop down menu, providing the options to summarize (i.e. count the number of sessions) by: No summary, Direction, Service/Destination Port, Source IP, Source Port, Destination IP and IP Protocol (and with FortiNet firewalls by Policy ID).

You can also select the View Mode: Basic or Advanced (see View Modes: Basic & Advanced). You can choose to enable "Pause on Session Filter Match" that will pause FirePlotter if session data appears that matches the Active Session Filter.

Also in the Session Table Control Bar are the buttons to return the Session Table Section to the default view Home (reset session filter to default), or if the Session Table Section has been explored by (double left mouse) click zooming into session detail (and so creating filters), then the Back (step back through filters used) or Forward (step forward through filters used) can be operated. The disk Save button can be used to save the current Session Filter using the Session Filter Profile Editor.

The Table Build Progress - provides status on the building of the Session Table View (Loading, Sorting...Complete messages).

The Active Session Filter shows the status of filters being applied to the Session Table View. The default (no filtering) is D=* S/DP=* SIP=* SP=* DIP=* IPP=* PID=* where D= Direction, S/DP=Service/Destination Port, SIP=Source IP Address, SP=Source Port, DIP=Destination IP Address, IPP=IP Protocol (and for FortiNet PID=Policy ID) are all set to * i.e. any value.

See Understanding Zoom In, Active Filters and Summary Filters and Session Filter Profile Editor for how to operate Session Filters.

Also displayed is Sessions (Filtered/Total): XXXX/YYYY where XXXX=number of sessions currently displayed in the Session Table using current active filter and YYYY=total number of sessions passing through the firewall.



Session Filter Profile Editor

Filters=>Session Filter Profile Editor

The Filters Menu provides options to open Session Filter Profile Editor where we can manually create Session Filter Profile that can be saved, or using Edit Active Filter we can modify the Active Session Filter.

By using the Session Filter Profile editor we can create session filters that focus on specific sessions that are required to be monitored - and these session filter profiles
can then be applied either in Global Settings or a Connection Profile.

Note: that if an Session Filter Profile is assigned to File => Global Settings => Default Profile, then FirePlotter will need to be restarted for it to become active. If a Session Filter Profile is assigned in Connections => Connection Profile Editor, then once applied the connection will need to be re-established for it to become active.

If we open the Session Filter Profile Editor we get the following screen:

Session Filter Profile to Manager shows we are editing the Active Filter or we can use the drop down to select pre-saved profiles to edit.

The Session Filter Profile Name can be entered to create a a new session filter profile entry.

We can then enter/edit filter parameters:

The Direction filter parameter can be set to monitor Both (directions), or specifically Inbound or Outbound sessions.

The Service/Dest Port (Destination Port) filter parameter can be set to a single or multiple (separated by a space) values. For example to filter on just destination port 80 (HTTP), enter 80. Or to monitor HTTP, HTTPS and SSH enter 80 443 22. The logical NOT character "!" can only be used once at the start of the line. So !80 would display all ports except 80, and !80 443 22 would display all ports except 80 443 22.

Source IP filter parameter can be set to single or multiple (separated by a space) values. For example to filter to just see traffic from source IP address 192.168.1.14, enter 192.168.1.14. Or to monitor source IP address 192.168.1.14 and sessions from subnet 192.168.71.0/255.255.255.0 enter 192.168.1.14 192.168.71.0/255.255.255.0. The logical NOT character "!" can only be used once at the start of the line. So !192.168.1.14 would cause the session table display all source IP addresses except 192.168.1.14.

The Source Port filter parameter can be set to a single or multiple values. Typically this field is likely to be left blank. But if needed, for example to filter on just source port 128881, then enter 128881. Or enter multiple values separated by a space. The logical NOT character "!" can only be used once at the start of the line. So !128881 would display all source port sessions except 128881.

Source IP filter parameter can be set to single or multiple (separated by a space) values - see Source IP filter parameter above for examples.

IP Protocol filter parameter can be set to single or multiple (separated by a space) values. For example setting it to 6 will monitor all TCP sessions, if left blank all IP protocols will be included.

Policy ID (FortiGate only) filter parameter provides the option to filter in firewall policy number for FortiNet FortiGates only. Single or multiple (separated by a space) values are permitted. So enter 73 to monitor sessions passing though policy 73. The logical NOT character "!" can only be used once at the start of the line. So !73 69 would display all sessions passing though all policy IDs except 73 and 69.

Summarise Table By gives the option to get FirePlotter's session table to summarise the number of sessions by: No Summary, Direction, Service/Destination Port, Source IP, Source Port, Destination IP, IP Protocol, Policy ID (FortiGate only) and Special (by Direction & Service).

The Sort Fields option lets the order of table entries be sorted first by: No Sort, Direction, Service/Destination Port, Sessions, Source IP, Source Port, Destination IP, IP Protocol, In Bytes/s, Out Bytes/s, Cumulative In Bytes/s, Cumulative Out Bytes/s and Policy ID (FortiGate only) These fields can be secondarily sorted by these same options.

Sort Column Type provides the option to sort columns Ascending or Descending.

View Mode can be set to Basic or Advanced - for more information see View Modes: Basic & Advanced.

Pause on Session Filter Match - if tick-box is set this will cause FirePlotter to Pause the Session Table display if the Session Filter is matched. This is useful for finding specific sessions during live view or replay of historical data.

The Save button can be used to save the Session Filter settings. If the Session Filter Profile name is new, then this will create a new entry, if the Session Filter Profile name already exists then you will be asked if it is OK to overwrite the existing entry. There is also the option to Rename the session filter which can be achieved by editing the Session Filter Profile Name to be different from the original name and then clicking on the Rename button. There is also the option to Delete the session filter entry using the Delete button.



Edit Active Filter

Filters=>Edit Active Filter

If we Edit Active Filter we get the following screen:

Session Filter Profile to Manage shows we are editing the Active Filter and is intentionally greyed out. The Session Filter Profile Name is intentionally greyed out.

The Direction filter parameter can be set to monitor Both (directions), or specifically Inbound or Outbound sessions.

The Service/Dest Port (Destination Port) filter parameter can be set to a single or multiple (separated by a space) values. For example to filter on just destination port 80 (HTTP), enter 80. Or to monitor HTTP, HTTPS and SSH enter 80 443 22. The logical NOT character "!" can only be used once at the start of the line. So !80 would display all ports except 80, and !80 443 22 would display all ports except 80 443 22.

Source IP filter parameter can be set to single or multiple (separated by a space) values. For example to filter to just see traffic from source IP address 192.168.1.14, enter 192.168.1.14. Or to monitor source IP address 192.168.1.14 and sessions from subnet 192.168.71.0/255.255.255.0 enter 192.168.1.14 192.168.71.0/255.255.255.0. The logical NOT character "!" can only be used once at the start of the line. So !192.168.1.14 would cause the session table display all source IP addresses except 192.168.1.14.

The Source Port filter parameter can be set to a single or multiple (separated by a space) values. Typically this field is likely to be left blank. But if needed, for example to filter on just source port 128881, then enter 128881. Or enter multiple values separated by a space. The logical NOT character "!" can only be used once at the start of the line. So !128881 would display all source port sessions except 128881.

Source IP filter parameter can be set to single or multiple (separated by a space) values - see Source IP filter parameter above for examples.

IP Protocol filter parameter can be set to single or (separated by a space) multiple values. For example setting it to 6 will monitor all TCP sessions, if left blank all IP protocols will be included.

Policy ID (FortiGate only) filter parameter provides the option to filter in firewall policy number for FortiNet FortiGates only. Single or multiple (separated by a space) values are permitted. So enter 73 to monitor sessions passing though policy 73. The logical NOT character "!" can only be used once at the start of the line. So !73 69 would display all sessions passing though all policy IDs except 73 and 69.

Summarise Table By gives the option to get FirePlotter's session table to summarise the number of sessions by: No Summary, Direction, Service/Destination Port, Source IP, Source Port, Destination IP, IP Protocol, Policy ID (FortiGate only) and Special (by Direction & Service).

The Sort Fields option lets the order of table entries be sorted first by: No Sort, Direction, Service/Destination Port, Sessions, Source IP, Source Port, Destination IP, IP Protocol, In Bytes/s, Out Bytes/s, Cumulative In Bytes/s, Cumulative Out Bytes/s and Policy ID (FortiGate only) These fields can be secondarily sorted by these same options.

Sort Column Type provides the option to sort columns Ascending or Descending.

View Mode can be set to Basic or Advanced - for more information see View Modes: Basic & Advanced.

Pause on Session Filter Match - if tick-box is set this will cause FirePlotter to Pause the Session Table display if the Session Filter is matched. This is useful for finding specific sessions during live view or replay of historical data.

Press the Apply button to make the session filter active upon the current session table view.



Managing Alert Profiles

Alerts=>Alert Profile Editor

The Alerts Menu provides options to open the Alert Profile Editor where we can manually create Alert Profiles that can then be applied either in Global Settings or a Connection Profile.

Note: that if an Alert Profile is assigned to File => Global Settings
=> Default Profile, then FirePlotter will need to be restarted for it to become active. If an Alert Profile is assigned in Connections => Connection Profile Editor, then once applied the connection will need to be re-established for it to become active.

If we open the Alert Profile Editor we get the following screen:

Alert Profile Editor shows we are creating a New Profile or we can use the drop down to select pre-saved alert profiles to edit.

The Alert Profile Name can be entered to create a new Alert Profile entry.

We can then enter/edit alert parameters:

The Total Bandwidth Alert can be set to monitor one or both directions (INBOUND and/or OUTBOUND). The thresholds are set in Kbits/s and duration is set in seconds.

The Session Count Alert can also be enabled. The threshold is set as the total number of sessions and the duration is set in seconds.

The Save button can be used to save the Alert Profile settings. If the Alert Profile name is new, then this will create a new entry, if the Alert Profile name already exists then you will be asked if it is OK to overwrite the existing entry. There is also the option to Rename the session filter which can be achieved by editing the Alert Profile Name to be different from the original name and then clicking on the Rename button. There is also the option to Delete the Alert Profile entry using the Delete button.

If the thresholds are triggered then FirePlotter will display asterisks (*) next to relevant values in the Session Count and Total Bandwidth fields in the FirePlotter GUI. See screenshot below:

If Email Notifications have been configured in File, Global Settings, Email Notification - then an email alert will be sent to the specified recipients when the Total Bandwidth or Session Count Alert threshold has been exceeded for duration set.

When the Total Bandwidth or Session Count drop below thresholds set, a subsequent email is sent indicating the alert is cancelled, and the asterisk(s) disappear from the Session Count and Total Bandwidth fields in the FirePlotter GUI.



Session Table Section

The traffic monitored by FirePlotter is divided into Inbound and Outbound. Inbound traffic is defined as sessions that are initiated from outside of the firewall passing inside. Outbound traffic is defined as any sessions that are initiated from the inside of the firewall passing to the outside. Until FirePlotter is developed to differentiate between all possible firewall interfaces, any DMZ ports on a firewall are considered as "inside". So sessions passing from DMZ(s) to Outside are considered as Outbound sessions and vice versa.

Once FirePlotter is gathering real-time data you can single or double left mouse click in the Session Table Section on any of the Direction, Source IP, Source Port, Destination IP, Service /Destination IP, IP Protocol Fields, Sessions fields to zoom into specific real-time session information. So if you single or double left mouse click on a line in the Source IP address column with single IP address being displayed, you will drill down into all the sessions related to that IP address. Or if you click on a line in the Service/Destination Port column where it says HTTP (80) is being displayed you will drill down into all HTTP traffic passing through the firewall.

Tip - you can see what filters are active as you drill down by viewing the Active Session Filter display screen just above the Session Table Section on FirePlotter screen.

Tip - You may choose to activate or create a Session Filter Profile, Summarise Table By, Change the View Mode and more - see Session Table Control Bar

Tip - You can also click on any of the column headings to re-order into ascending order the whole session list by the data in that column.

Tip - To reset back to the "Default view" - right-mouse click anywhere in the Session Table and select "Default View".

Tip - To manually the Active Session Filter - right-mouse click anywhere in the Session Table and select "Edit Active Filter"

The default view summarises the sessions by Inbound and Outbound sessions, and then by Service/Destination IP (this is a "special" view).

Where Source IP field or Destination IP fields shows "..." then this indicates multiple addresses and may be double clicked on to get more information on what those IP addresses are.

Where possible FirePlotter will resolve IP addresses to Fully Qualified Domain Names (FQDNs) or NetBIOS Names (optional). When an IP address is displayed in brackets e.g. (192.168.1.1) - this indicates that FirePlotter is still attempting to resolve a name to the IP address. See Address Resolution under FirePlotter Controls & Views for how to set name resolution options.

Note - that FirePlotter suppresses monitoring of its own SSH or telnet traffic on the session tables or graphing of traffic unless otherwise set in Monitoring Connection under FirePlotter Controls & Views

Also please note for any Cisco PIX users: Cisco do not provide session data in PIX 6.x for connections directly to the PIX interfaces. This means that management connections such as SSH or HTTPS are not displayed. This also means that VPN connections terminated at the PIX are not reported. However, in PIX/ASA 7.x+ this session data is provide and so FirePlotter can display bandwidth usage and session data for all connections terminated at the PIX interfaces (SSH, HTTPS, VPN etc).



Focus Control Bar

The FirePlotter Focus Bar provides information about the time and source of the session data you are viewing. The Focus Time and Date tell you the date and time of current snapshot being displayed in the session table. Firewall Unit Name, Address, Model and Firmware version are also displayed. Real Time and Date is displayed so you can compare with the Focus Time and Date. When FirePlotter is in real-time mode then the Focus Time and Date will be almost exactly as Real Time and Date (as below). However, if you choose to play historical data then the Focus Time and Date will show the Time and Data of the data you choose to replay.

The Focus bar also provides the Play, Pause and Reset Buttons. When FirePlotter is connected to a firewall, it downloads the session data by default every 5 seconds or at whatever frequency "Record Interval" is set to. If we want to prevent the session table from updating so we can explore sessions, then we can use the "Pause" and "Play" buttons to pause and restart the data being displayed in the Session Table and graphing of bandwidth usage. The Reset button resets the graphs to real-time view. This is most often used when previously viewing historical data.

Note - when then "Pause" button is pushed, and session table and graphing updates stop, FirePlotter still continues to record your firewall session data in background.

The Play interval can be used to speed up or slowdown the playback of historical data (using File, Open Recorded Data) or to speed up or slow down playback when resuming from Pause to catch up to real-time.

The Total Bandwidth (INBOUND/OUTBOUND) Kbits/s displays in real-time the total bandwidth being detected using the summation of all sessions In Bytes/s and Out Bytes/s colums in the Session Table. Note that FirePlotter uses a simple "inbound" and "out-bound" traffic model, so the total bandwidth figures may not be as expected. For example, a high bandwidth session count between a DMZ interface and an internal interface may show in this summation. So Total Bandwidth is meant to be used as a "rough guide only" on firewalls with more than two interfaces.



Graphical Bandwidth Plotting Section

The graphical section displays Inbound and Outbound Bandwidth Usage in KBits/Second over time by Service/Destination Port. The colours of services are set in the FirePlotter.ini file. For example: Email (SMTP) traffic is red; Web Browsing (HTTP) is green; Secure HTTP (HTTPS) is gold; FTP is brown. Total Bandwidth is in black.

FirePlotter's Graphical Bandwidth Plotting as well as graphing the total bandwidth for the 8 configurable key protocols (Ping, FTP, SMTP, DNS, HTTP, POP3, HTTPS & RDP) is also continually ensuring the protocol consuming the most bandwidth is always graphed with a Trace line. The Trace line is often not visible on the graphs as the protocol consuming the most bandwidth is usually one of the 8 key protocols which are already graphed. On occasions where a non key protocol is consuming the most bandwidth then the Trace line appears and the associated protocol entries in the Session Tables are highlighted with the same colour. The Trace line protocol can change second by second as different applications consume for available bandwidth. The default Trace colour is a pale blue and when it appears on the Graphical Bandwidth Plotting is a slightly thinner line than the key protocols

FirePlotter lets you review historical data by clicking your mouse on the area of the graph you are interested in. See FirePlotter Replay

Status Bar

From left to right the first part of the Status Section indicates the Recording Status that includes the Firewall Unit Name, IP Address , model and firmware version and any Download Filter that has been applied (see Download Filters for more information).The next section indicates when the when the next update of session data will start and indicates on first connection how many blocks of data are being downloaded to get all the session data from the firewall, then for subsequent downloads FirePlotter indicates an estimate in percentage (%) of sessions data to be downloaded before next refresh of session table. The rightmost section displays the recoding time in Days, Houts Minutes and Seconds since FirePlotter first started recording session data from the firewall.

Tip - You can use the Windows key combination of [Ctrl+Alt+PrtScn] to copy a screenshot of the active window (in this case the FirePlotter application) to the clipboard at any time. You can then paste this image into any other application of your choice.



The Help Menu options are: "Online Help" (taking you to this web page), "Training Video (10 minutes)", "FAQ" (providing more information about FirePlotter), "Check for Updates Online", "Licence Manager" and "About FirePlotter" (see FirePlotter Licensing).



FirePlotter Licensing

Once FirePlotter is running, to see your current licensing status for FirePlotter, go to the Menu Bar and select "Help", "About FirePlotter" to see a screen similar to the following:

rePlotter is running, to see your current licensing status for FirePlotter

Free Mode vs. Licensed Mode

FirePlotter can be run in Free Mode or (paid for) Licensed mode - see the differences between the two here: Free vs. Licensed Mode - Comparison Chart

FirePlotter can be downloaded and used right away, without any licensing being applied, in "Watch only" mode with the powerful Summary, Sort, Filter Advanced View Mode, Zoom and Replay features disabled. "Watch only" mode does provide an excellent overview of your firewalls sessions and bandwidth usage in real-time. We do recommend that you request a 14-day license so you can experience FirePlotter with Summary, Sort, Filter, Zoom and Replay features enabled.



FirePlotter Licensing Renewals

FirePlotter begins to display warning screens when any 12-month FirePlotter license or a 14-day evaluation license is approaching expiration. To renew a 12-month license simply go to Buy FirePlotter and purchase another 12-month license (same price as first 12-months). The maximum period of licensing that can be purchased is 12 months.

Concurrent Usage

A purchased License includes a concurrent usage count which limits the total number of copies of FirePlotter allowed to be installed within an organisation.

Example: one concurrent licensed copy means only one machine can have FirePlotter installed.

To see the FirePlotter End User License Agreement (EULA) - please click here

Also see: FirePlotter Replay and Multiple Users

FirePlotter Licensing Classes

FirePlotter Class 1 license for SMB Firewall - 1 Year

With this FirePlotter license (Class 1) a single user can connect FirePlotter to any single Cisco ASA 5505 and 5506, or FortiGate 20C through to 98D models.

FirePlotter Class 2 license for Enterprise Firewall - 1 Year

With this FirePlotter license (includes Class 1 & 2) a single user can connect FirePlotter to any single Class 1 firewall, or any single Cisco ASA 5510/5530 or FortiGate 100D through to 400D (and FortiGate-VM) models.

FirePlotter Class 3 license for High End Firewall - 1 Year

With this FirePlotter license (includes Class 1, 2 & 3) a single user can connect FirePlotter to any single Class 1 & 2 firewall or to any single Cisco ASA 5530 to to 5585, FWSM or FortiGate 500D models upwards.

FirePlotter Licensing Rules

  • FirePlotter only permits a new license to be installed when no license is present or less than 90 days on an existing license remains.
  • When installing a new license, FirePlotter back dates to date of expired license or start date of new license (whichever gives most days).
  • 3) If no license is installed then FirePlotter starts new license at date of purchase.
  • 4) A new license start date can only be extended up to 90 days. So if two licenses are purchased at the same time, if the 2nd license is applied when the first one has expired, then it will only give 90 additional days.

 



Installing FirePlotter License (.lic) File

Your 14-day evaluation license or 1-Year full license file can be activated by going to Help -> License Manager -> Add. FirePlotter licenses can be added and removed using this License Manager interface. If you have upgraded from a previous version of FirePlotter, then FirePlotter's License Manager will automatically activate any license file(s) already present and add them into the Licence Manager Interface.

<

For information on how to view your current FirePlotter license class - see FirePlotter Licensing

See Buy FirePlotter for pricing.



Moving FirePlotter to Another PC

If you wish to transfer your FirePlotter Global Settings, Connection Profiles, Session Filter Profiles and Alert Profiles from one PC to another you can do this using regedit.exe and Export. Execute regedit.exe on your PC and on the menu click Edit, Find and seach for GISS-UK.com. Then right mouse click on FirePlotter heading and select Export and save this registry branch as a file:

<

Then transfer the saved file to new PC where FirePlotter is installed and right mouse click on the file and select Merge, and click Yes through the "Are you sure you want to continue" warning. This will add your FirePlotter settings into the registry on this new PC. You can now run FirePlotter to see your settings successfully imported.



Troubleshooting

Most popular:

TCP/IP Connection to host <IP address> failed (Check IP address and Telnet enabled) - Error Message?
Username/Password Error - Error Message?
FirePlotter does not show any inbound stats on my Cisco Firewall? (see also Understanding FirePlotter and Cisco ASA Firewall )
Why is FirePlotter missing some FortiGate bandwidth?
FirePlotter does not show any data from my FortiGate Firewall?
Can I filter FortiGate firewall sessions before they are sent to FirePlotter?
How do I use FirePlotter to find out who or what is using my bandwidth?
Why are options disabled or greyed out?

Occasionally asked:

What commands does FirePlotter send to my firewall?

Why does FirePlotter cause my ASA firewall to run at 99% CPU utilization?
Why does FirePlotter generate queries to outside hosts on UDP port 137?
Suspicious traffic from a device/PC?
What permanent files does FirePlotter install and use and where are they?
Why can I not see connections "to" my Cisco Firewall e.g. my SSH or VPN sessions?
How do I reset FirePlotter windows size and position?
How do I use FirePlotter to detect which PCs are infected by the Conficker virus?
Does FirePlotter work on an Apple Mac?
What can I do if I get Unexpected Cisco User Prompt warning message?
What can I do if I get a SSH Login Error in my FortiGate Event Log?
FirePlotter Error Messages
FirePlotter Other Messages
Which Cisco ASA models are supported by FirePlotter?
Which FortiNet FortiGate models are supported by FirePlotter?
Further Help

TCP/IP Connection to host <IP address> failed (Check IP address, SSH/Telnet enabled) - Error Message?

If FirePlotter cannot make a connection to your firewall once the Connect button has been pushed, then this error is displayed:

To test the ssh connection, run a copy of PuTTY (PuTTY can be downloaded at www.chiark.greenend.org.uk/~sgtatham/putty/download.html ) and use it to test the SSH connection to your firewall.You will then be prompted for login. Enter the login credentials you have to confirm that they work.

If they do, then you are now ready to use FirePlotter. If not then see Setting Up Your Cisco ASA Firewall for FirePlotter or Setting Up Your FortiNet FortiGate Firewall for FirePlotter.

Username/Password Error - Error Message?

If FirePlotter is not provided with correct login credentials for then this error message will be displayed. Check you have typed the correct ssh or telnet login (and for Cisco "enable") credentials. Also check Caps Lock is not active on your keyboard! If necessary use PuTTY to test the credentials (see TCP/IP Connection to host <IP address> failed (Check IP address and Telnet enabled) - Error Message? )

Why is FirePlotter missing some FortiGate bandwidth?

FirePlotter can acquire incomplete data when a FortiGate is using its Network Processor chip (NP) to accelerate traffic. Accelerated traffic (fastpathed) does not completely pass through the FortiGate CPU, and results in some bandwidth data being unavailable to 3rd party network monitoring systems like FirePlotter. Where 3rd party monitoring is required, the fastpath (NP acceleration) functionality can be temporarily disabled, and will result in all new session bandwidth data being accurately provided to FirePlotter. Disabling fastpath NP acceleration does not typically, dramatically reduce the FortiGate performance, so can be left disabled to allow FirePlotter ongoing monitoring. Rebooting the FortiGate will restore fastpath NP acceleration.

Fastpath can only be disable via the CLI (Command Line Interface)

1. Determine the ID the NP:
FG800C # diagnose npu np4 stats
The following NP4 IDs are available:
0

2. Disable fastpath NP acceleration:
FG800C # diagnose npu np4 fastpath disable 0
NP4 Fast Path disabled. Please clear session to clear existing path.

Sessions do not need to be cleared to just start monitoring new sessions.
Note, This CLI command that disables fastpath can entered in the Download Filter in a Connection Profile.

3. Run FirePlotter and all bandwidth data will be available for new sessions.

4. Enable fastpath NP acceleration if require:
FG800C # diagnose npu np4 fastpath enable 0
NP4 Fast Path enabled

Fortinet fastpath overview:

NPs provide fastpath acceleration by offloading communication sessions from the FortiGate CPU. When the first packet of a new session is received by an interface connected to an NP processor, just like any session connecting with any FortiGate interface, the session is forwarded to the FortiGate CPU where it is matched with a security policy. If the session is accepted by a security policy and if the session can be offloaded its session key is copied to the NP processor that received the packet. All of the rest of the packets in the session are intercepted by the NP processor and fast-pathed out of the FortiGate unit to their destination without ever passing through the FortiGate CPU. The result is enhanced network performance provided by the NP processor plus the network processing load is removed from the CPU. .

Why are options disabled or greyed out?

If you do not have a license for FirePlotter then it defaults to Free Mode (Watch Only) which only enables real-time monitoring and disables (amongst other features) the ability to Zoom into session details.

If you haven't already, you can request your FREE 14-day FirePlotter License here: Request 14-Day License to evaluate fully functional FirePlotter.

So, for example, the Zoom feature in "Licensed" or "Evaluation" mode means you can drill down into a "..." entry in a session table entry to get more information about which IP addresses are creating sessions.

Other features such as Summary Options, Default View, Refresh now, Refresh Interval, Pause, Play, FirePlotter.ini settings, Right Mouse Click and other capabilities are all enabled in "Licensed" or "Evaluation" mode.

See Free vs. Licensed Mode Comparison Chart or FirePlotter Licensing for more information.

What commands does FirePlotter send to my firewall?

FirePlotter typically sends the following commands to a firewall using SSH or telnet to extract the session table data (exact commands and frequency may vary according to software/firmware version):

Cisco ASA CLI commands from enable prompt:

terminal pager 0
show version
show config
show conn all (or sh con all, or show connections all)

FortiNet Fortigate CLI commands from admin login prompt:

config vdom
edit route
get system status
diag sys session ttl
diag sys session list
diag netlink interface list

Why does FirePlotter cause my ASA firewall to run at 99% CPU utilization?

If you are running ASA version 7 then you will need to upgrade to version 7.23 to avoid this problem. There is a bug in ASA version 7.22 that causes the firewall to run to 99% CPU utilization when a telnet (or SSH) session requests large quantities of data (which it does frequently). More >>

Why does FirePlotter generate queries to outside hosts on UDP port 137?

FirePlotter performs a rDNS and NetBIOS (UDP/137) lookup of the IP addresses, some of which will be to outside hosts. If the IP addresses are resolvable (nameable) then they are displayed alongside the individual IP address in the Source IP and Destination IP columns of the Session Table. See Session Table Section for more information.

Note: When NetBIOS name resolution is turned on, FirePlotter attempts to resolve ALL IP addresses this way. This means that NetBIOS (UDP/137) lookups are sent to IP addresses outside of your firewall. We would recommend a firewall policy rule that blocks/denies UDP Port 137 from your internal network to the internet.

Suspicious traffic from a device/PC?

On the PC with the suspicious application, use "netstat -o -a" to find the process ID of the application generating the traffic (check source port), and then use Task Manager to find that Process ID (In Task Manager go to View, select Columns to ensure PID is selected and so displayed).

What files does FirePlotter install and use and where are they?

All the following FirePlotter files (permanent and temporary):

These files are installed during installation in c:Program FilesFirePlotter (or chosen location):

FirePlotter.exe [Main application]
License.rtf [End User license agreement]
FirePlotter.lnk [Windows shortcut to FirePlotter website home page]
FirePlotterBuy.lnk [Windows shortcut to FirePlotter website product purchase page]
FirePlotterOnlineHelp.lnk [Windows shortcut to FirePlotter website online help page]
FP-Ping.bat [Batch file for Ping on Right Mouse Click]
FP-Tracert.bat [Batch file for traceroute on Right Mouse Click]
wodSSH.dll [Dynamic Link Library for SSH and Telnet communications]

In C:Documents and Settings[UserName]Application DataFirePlotter in Windows XP, or in C:Users[UserName]AppDataRoamingFirePlotter in Windows Vista or Windows 7 or in C:Documents and Settings[UserName]Application DataFirePlotter in Windows 2003 Server these files are installed:

FirePlotter.ini [Configuration parameters]
FirePlotterDebug.txt [FirePlotter debug file that records FirePlotter's initialisation and operational information]
fireplotter.lic [FirePlotter license file] - note this file must be placed in this directory manually (either a 14-day Evaluation License or a Purchased Annual License).

Log files are created and updated each time FirePlotter is run in this same directory:

Temporary files created as part of FirePlotter's normal operation for Cisco and FortiGate firewalls.
The FirePlotter Process ID is used in the file name to allow multiple concurrent copies of FilePlotter to be running on the same machine if the necessary "Concurrent" license has been purchased.
Cisco:
<ProcessID>PIXVersion.txt System information i.e. Model, serial number etc
<ProcessID>PIXConfig.txt Configuration information
<ProcessID>PIXConnection.txt Session/Connection table
FortiGate:
<ProcessID>UnitSystem.txt System information i.e. Model, serial number etc
<ProcessID>UnitInterface.txt Interface list i.e. what network connections the firewall has
<ProcessID>UnitTTL.txt Non default Time-To-Live values
<ProcessID>UnitSession.txt Session/Connection table

Also, in this directory the Recorded Data directory is created, under which all folders are created for firewall, date, and hour (e.g. C:\Users\[UserName]\AppData\Roaming\FirePlotterRecordedData192.168.68.90 demo-cisco-firewallall_e.g._my_SSH_session"

Why can I not see connections "to" my Cisco Firewall e.g. my SSH or VPN sessions?

Cisco does not provide session data about sessions directly connected to Cisco ASA interfaces. This includes protocols such as: Telnet, SSH, SNMP, ping, IPSEC VPN, ISAKMP, NAT-T and HTTPS. Note that FirePlotter will display the traffic that passes *through* the VPN.

FirePlotter does not show any inbound stats on my Cisco Firewall?

When FirePlotter gets session data from a Cisco firewall, the displayed statistics are related to the "direction of initiation". So a session that is outbound initiated (inside to out), for example, a session visiting a website, and that session then downloads a file using HTTP, that session download will then be displayed in FirePlotter as outbound HTTP byte counts. The data is displayed in this way as this is how Cisco chooses to provide it. So it follows then that inbound stats will only show if sessions have been initiated from the outside in.

FirePlotter does not show any data from my FortiGate Firewall?

If FirePlotter has successfully connected and authenticated to a FortiGate firewall, sometimes the credentials that have been used to login do not have sufficient rights to access the session data needed for FirePlotter to work. Note that only the default admin account, or equivalent, has sufficient rights for FirePlotter to operate correctly.

How do I reset FirePlotter windows size and position?

If run into windows resize problem then using regedit.exe delete:

HKEY_CURRENT_USERSoftwareGISS-UK.comFirePlotterFP-WindowPosition.

How do I use FirePlotter to find out who or what is using my bandwidth?

See Understanding Zoom In, Active Filters and Summary Filters to easily track down which device all those sessions are coming from!

How do I use FirePlotter to detect which PCs are infected by the Conficker virus?

See Understanding Zoom In, Active Filters and Summary Filters to help you detect the Conficker virus that uses SMB TCP Port 445 (conflicker).

Does FirePlotter work on an Apple Mac?

Yes - FirePlotter will work on an iMac running Parallels with Microsoft Vista and XP. We have also had some success with using FirePlotter with Crossover for Mac.

Can I filter FortiGate firewall sessions before they are sent to FirePlotter?

Yes - Download Filter settings can be used to get FirePlotter to download a subset of the total sessions running through a firewall, which can be very useful if a firewall is passing thousands of sessions - see Download Filters for more information.

What can I do if I get Unexpected Cisco User Prompt warning message?

If FirePlotter is having difficulty connecting or auto-reconnecting to a Cisco firewall, resulting in a fireplotterdebug.txt message "Unexpected Cisco User Prompt" then we recommend increasing the SocketTimeout setting in fireplotter.ini [Connection] from the default 5 seconds to 10 seconds:

SocketTimeout=10

What can I do if I get a SSH Login Error in my FortiGate Event Log?

If FirePlotter is connecting to a FortiGate firewall running v3.00 Build 731 (MR7 Patch1) then when FirePlotter connects using SSH the FortiGate may generate an SSH login error (Event Log message). This is a bug in the FortiGate firmware that was introduced in v3.00 MR7 Patch1, and is fixed in Build 733 (MR7 Patch2). To fix this error upgrade your FortiGate's firmware.


FirePlotter Error Messages (Help Codes)

Help Code: 0x1011 - Establishment of Connection Error

This error occurs if FirePlotter cannot connect to the firewall or if too many login attempt failures (incorrect credentials) have caused the firewall to refuse connections.

Check you can ping the firewall and that a telnet/SSH connection is available. See Setting Up Your Cisco ASA Firewall for FirePlotter or Setting Up Your FortiNet FortiGate Firewall for FirePlotter for further help.


Help Code: 0x1021 - FortiGate Telnet Authentication Failure Error

This error occurs if FirePlotter fails to authenticate to a FortiGate Firewall.

Check you are using/typing the correct login credentials. See
Setting Up Your FortiNet FortiGate Firewall for FirePlotter for further help.


Help Code: 0x1022 - FortiGate Connection Lost Error

This error occurs if FirePlotter loses connection with a FortiGate firewall it has already successfully connected to.

You can use Socket Timeout setting in the Connection Profile to help with timeout problems on a poor quality connection. The default timeout is 5 seconds.

Help Code: 0x1031 - Cisco Connection Lost Error

This error occurs if FirePlotter loses connection with a Cisco firewall it has already successfully connected to.

You can use Socket Timeout setting in the Connection Profile to help with timeout problems on a poor quality connection. The default timeout is 5 seconds.

Help Code: 0x1032 - Cisco Telnet Authentication Failure Error

This error occurs if FirePlotter fails to authenticate to a Cisco Firewall.

Check you are using/typing the correct login credentials. See Setting Up Your Cisco ASA Firewall for FirePlotter for further help.


Help Code: 0x1033 - Cisco Enable Authentication Failure Error

This error occurs if FirePlotter fails to switch to 'enable' mode on a Cisco Firewall.

Check you are using/typing the correct 'enable' credentials. See
Setting Up Your Cisco ASA Firewall for FirePlotter for further help.

Help Code: 0x1035 - SSH Authentication Failure Error

This error occurs if FirePlotter fails to authenticate to a Firewall.

Check you are using/typing the correct login credentials. See Setting Up SSH on Your Firewall for FirePlotter for further help.

Help Code: 0x1036 - Critical file is missing - program aborted

This error occurs if a critical file is missing from the installation.

Please re-install FirePlotter remembering to backup your FirePlotter.ini if any user modifications to the fireplotter.ini file have been previosuly made.

FirePlotter Other Messages

This version of FirePlotter.EXE has intentionally expired. Please download the latest version from http://www.fireplotter.com/

Each version of the Fireplotter.EXE program is timed to expire 1 year from the date it was created. This way we can ensure users always have the best version of FirePlotter available. If you see this message this does not affect your annual FirePlotter licensing. All you need to is download and install the latest version of FirePlotter from our website.


FirePlotter Hidden Registry Settings

Disable Option to View Cisco Firewall Configuration

HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-GlobalSettings\RestrictCiscoConfigAccess (REG_DWORD). Set to 1 to disable menu option to view Cisco Firewall Configuration (via RMC (Right Mouse Click) in Session Table when connected to Cisco firewall.

Disable Minimum Screen Resolution Check

HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-GlobalSettings\ScreenResIgnore (REG_DWORD) checking. 1 = do not check minimum screen resolution requirement.

Disable Single Click Zoom

HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-GlobalSettings\SessionDoubleClick (DWORD) = 1 then user can use double click to Zoom on sessions instead of single click.

Change IP Information Site

Change IP Information site to http://cqcounter.com/whois/ip/.html as default but allow user definable with [pre][ip][post] HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-GlobalSettings\IP-Information-Pre (String) HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-GlobalSettings\IP-Information-Post (String)

Send .fpr file with Alert Email

HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-GlobalSettings\SendAlertFPR (DWORD) = 1 then we will send .FPR file with Alert email.

Add a Time Zone Offset to .fpr files

Add 'TimeZoneOffset' in Registry for FP-GlobalSettings HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-GlobalSettings (checked 1st) and connection profiles within FP-Profiles HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-Profiles\ (checked 2nd) DWORD to hold hour offset between recorded data and player timezone e.g. 3 or -1 etc.

Reset Window Size

If run into windows resize problem then delete HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-WindowPosition

Graph Heading Rename

Graph headings can be renamed via RegEdit String Values within HKEY_CURRENT_USER\Software\GISS-UK.com\FirePlotter\FP-GlobalSettings Graph.Left.Fortinet, Graph.Right.Fortinet, Graph.Left.Cisco, Graph.Right.Cisco.



Which Cisco ASA models are supported by FirePlotter?

The following Cisco ASA models are supported:

ASA-5505
ASA-5506
ASA-5505-K8
ASA5506
ASA5506-X
ASA5506H
ASA5506H-X
ASA5506W-X
ASA5508
ASA5508-X
ASA-5510
ASA-5510-K8
ASA-5512-X
ASA-5515-X
ASA-5515-X
ASA-5516
ASA-5516-X
ASA 5520
ASA-5520-K8
ASA-5525
ASA-5525-K7
ASA-5525-X
ASA-5530
ASA-5530-K8
ASA-5540
ASA-5540-K8
ASA-5545
ASA-5545-K8
ASA-5545-X
ASA-5550
ASA-5550-K8
ASA-5555
ASA-5555-X
ASA-5560
ASA-5580-20
ASA-5585-X
ASA-5585-SSP-10
ASA 5585-X-SSP10
ASA 5585-X-SSP20
ASA 5585-SSP-20
ASA 5585-X-SSP40
ASA 5585-SSP-40
ASA 5585-X-SSP60

ASA 5585-SSP-60
ASAv
FWSM Firewall Version 3.1(7)
FWSM Firewall Version 3.1(8)
WS-SVC-FWM-1
WS-SVC-FWM-1-K9
PIX-501
PIX-506
PIX-506E
PIX-510
PIX-515
PIX-515E
PIX-520
PIX-525
PIX-535

Which FortiNet FortiGate models are supported by FirePlotter?

The following FortiNet FortiGate models are supported:

FG-20C / FortiGate-20C
FW-20C / FortiWifi-20C

FG-30B / FortiGate-30B
FG-30D-POE / FortiGate-30D-POE
FG-30E / FortiGate-30E
FW-30B / FortiWifi-30B
FW-30D-POE / FortiWifi-30D-POE
FW-30E / FortiWifi-30E
FG-40C / FortiGate-40C
FW-40C / FortiWifi-40C
FG-50A / FortiGate-50A
FG-50B / FortiGate-50B
FG-50E / FortiGate-50E
FG-51B / FortiGate-51B
FG-51B-LENC / FortiGate-51B-LENC
FG-51E / FortiGate-51E

FW-50B / FortiWiFi-50B
FW-50E / FortiWiFi-50E
FG-60 / FortiGate-60
FG-60B / FortiGate-60B
FG-60C / FortiGate-60C
FG-60C-POE / FortiGate-60C-POE

FG-60D / FortiGate-60D
FG-60D-POE / FortiGate-60D-POE

FG-60E / FortiGate-60E

FG-61E / FortiGate-61E

FW-60 / FortiWifi-60
FW-60A / FortiWiFi-60A
FW-60AM / FortiWiFi-60A
FW-60B / FortiWiFi-60B
FW-60C / FortiWiFi-60C
FW-60CM / FortiWiFi-60CM
FW-60CX-ADSL / FortiWiFi-60CX-ADSL
FW-60D / FortiWifi-60D
FW-60D-POE / FortiWifi-60D-POE
FW-60E / FortiWifi-60E
FW-61E / FortiWifi-61E
FG-70D / FortiGate-70D
FG-70D-POE / FortiGate-70D-POE
FG-70D-LENC / FortiGate-70D-LENC
FG-80C / FortiGate-80C
FG-80CM / FortiGate-80CM
FW-80CM / FortiWifi-80CM
FG-80D / FortiGate-80D
FG-81CM / FortiGate-81CM
FW-81CM / FortiWifi-81CM
FG-82C / FortiGate-82C
FG-90D / FortiGate-90D
FG-90D-POE / FortiGate-90D-POE
FW-90D / FortiWifi-90D
FW-90D-POE / FortiWifi-90D-POE
FW-92D / FortiWifi-92D
FG-94D-POE / FortiGate-94D-POE
FG-98D / FortiGate-98D
FG-98D-POE/FortiGate-98D-POE
FG-100 / FortiGate-100
FG-100A / FortiGate-100A
FG-100D / FortiGate-100D
FG-110C / FortiGate-110C
FG-111C / FortiGate-111C
FG-140 / FortiGate-140D
FG-140D-POE / FortiGate-140D-POE
FG-200 / FortiGate-200
FG-200A / FortiGate-200A
FG-200A-HD / FortiGate-200A-HD
FG-200B / FortGate-200B
FG-200B-POE / FortiGate-200B-POE
FG-200D / FortiGate-200D
FG-200D-POE / FortiGate-200D-POE
FG-224B / FortiGate-224B
FG-240D / FortiGate-240D
FG-240D-POE / FG-240D-POE
FG-280D /FortiGate-280D
FG-280D-POE / FortiGate-280D-POE
FG-300 / FortiGate-300
FG-300A / FortiGate-300A
FG-300C / FortiGate-300C
FG-300D / FortiGate-300D
FG-300A-HD / FortiGate-300A-HD
FG-310B / FortiGate-310B
FG-310B-DC / FortiGate-310B-DC
FG-311B / FortiGate-311B
FG-400 / FortiGate-400
FG-400A / FortiGate-400A
FG-400A-HD / FortiGate-400A-HD
FG-400D / FortiGate-400D
FG-500A / FortiGate-500A
FG-500A-HD / FortiGate-500A-HD
FG-500D / FortiGate-500D
FG-600C / FortiGate-600C
FG-600D / FortiGate-600D
FG-620B / FortiGate-620B
FG-620B-DC / FortiGate-620B-DC
FG-621B / Fortigate-621B
FG-800 / FortiGate-800
FG-800C / FortiGate-800C
FG-800D / FortiGate-800D
FG-800F / FortiGate-800F
FG-900D / FortiGate-900D
FG-1000 / FortiGate-1000
FG-1000A / FortiGate-1000A
FG-1000A-LENC / FortiGate-1000A-LENC
FG-1000AFA2 / FortiGate-1000AFA2
FG-1000C / FortiGate-1000C
FG-1000D / FortiGate-1000D
FG-1200D / FortiGate-1200D
FG-1240B / FortiGate-1240B
FG-1500D / FortiGate-1500D
FG-1500DT / FortiGate-1500DT
FG-3000 / FortiGate-3000
FG-3000D / FortiGate-3000D
FG-3000D-DC / FortiGate-3000D-DC
FG-3016B / FortiGate-3016B
FG-3040B / FortiGate-3040B
FG-3100D / FortiGate-3100D
FG-3100D-DC / FortiGate-3100D-DC
FG-3140B / FortiGate-3140B
FG-3200D / FortiGate-3200D
FG-3600 / FortiGate-3600
FG-3600C / FortiGate-3600C
FG-3600LX2 / FortiGate-3600LX2
FG-3600LX4 / FortiGate-3600LX4
FG-3600A / FortiGate-3600A
FG-3810A-E4 / FortiGate-3810A-E4
FG-3700D / FortiGate-3700D
FG-3700DX / FortiGate-3700DX
FG-3810D / FortiGate-3810D
FG-3815D / FortiGate-3815D
FG-5001 / FortiGate-5001
FG-5001FA2 / FortiGate-5001FA2
FG-5001C / FortiGate-5001C
FG-5001D / FortiGate-5001D
FG-5002FA2 / FortiGate-5002FA2
FG-5002FBb2 / FortiGate-5002FB2
FG-5005FA2 / FortiGate-5005FA2
FG-VM / FortiGate-VM
FG-VM32 / FortiGate-VM32
FG-VM32-HV / FortiGate-VM32-HV
FG-VM64 / FortiGate-VM64
FG-VM64-HV / FortiGate-VM64-HV


Further Help

If you have a support question that has not been answered by this document then please send us a FirePlotter Support Request

To assist in resolving any technical issues, please include the following information in your email*:

1) A description of the problem, if possible including screenshot of problem.

2) The PC Operating System (Windows 10/8/7, Vista, XP, Windows Server 2003/2008/2012/2016) you are running?

3) Make, Model and Firmware/OS Version of firewall?

4) The version of FirePlotter you are running? (in Help, About)

5) Are your using SSH or Telnet?

6) Are you able to successfully login to your firewall using a SSH or Telnet client?

7) When you test FirePlotter on a different PC, do you experience the same problem?

8) Is FirePlotter local to the firewall or being used over a remote link/VPN?

9) Detailed logging data for the problem. Please edit your C:Program FilesFirePlotterFirePlotter.ini file, and in the [Connections] section add the line "LogLevel=255" and save the file.

Then re-create the problem, press Pause between a refresh cycles and then please attach to your email to us a (zipped) copy of all the *.txt files in the FirePlotter data folder*.

Please note LogLevel=255 significantly reduces FirePlotter performance, so we recommend the line is removed once the technical issue is resolved.

10) What is a typical number of sessions that pass through the firewall?

*Any confidential information (e.g. IP addresses) use Search & Replace to change to X.

If you have an upgrade question that has not been answered by this document then please send us a FirePlotter Support Request with the Subject header starting with UPGRADE:

If you have an enhancement request that is not been identified in our FirePlotter Roadmap, then please send us a FirePlotter Support Request with the subject header starting with ROADMAP: If you want to recommend a number of enhancements you would like to see - then please prioritise your list so we will know which is most important to you.

More Information

Top