Traffic Flow Analysis – Essential for Managing Today’s Security Networks

I think of a security network like a city’s streets. You have smaller streets for quiet neighborhoods and larger, 2-3 lane streets for major congestion areas. All of these thoroughfares were built by engineers who monitored traffic flows and patterns and evaluated exactly how many cars flow through the intersections, which directions (special attention to cars turning at the intersection) and what time of day. As a result, they use this “Traffic Flow Analysis” to define new “rules” for the traffic control system (stop lights) to efficiently move cars through an intersection.

FireMon’s Traffic Flow Analysis or “TFA” does the same thing to monitor traffic through a firewall rule, and instead of allowing all traffic to traverse in all directions, it monitors the empirical behaviors on the network and lets administrators know which rules they can create to allow only the necessary access.

Do you need Application Data with your TFA? Yes, both matter.

Security Manager, FireMon’s flagship security management platform, transforms TFA from a monitoring tool to a powerful decision-making tool through the use of application data. The addition of application data in TFA allows a user to identify which applications are being used in a rule and between which sources and destinations. Just as with the traditional TFA, we present the data as a list – including all applications in use for the monitored traffic – as well as in a “flow.” A flow is a set of common tuples (source, destination, service and application). All the traffic monitored can be broken into flows that can be used to create more refined rules in a policy.

Image - 1200 x 600 - TFA application flow.png

In the screenshot, you can see six flows associated with the captured traffic. The highlighted column shows the identified application used in each flow.

TFA for Next-Generation Firewalls

There is significant value to seeing applications in the flow to enable a user to more effectively refine their security policy. However, there is a specific market value to this new capability, especially for those next-generation firewall vendors. These vendors have built their business on the concept that a firewall should control access based on more than just port and protocol, but also based on the application. However, customers that are buying and installing these firewalls often fail to update rules to enforce application control. This happens for a couple of reasons:

  • Migrations: Generally, NGFWs are replacing a legacy technology. The original rules didn’t have applications, so the migrated rules will not either. The effort to change these rules is significant, but it is also hard to do without better information. FireMon can provide that information.
  • Education: NGFWs are still a relatively new technology. Administrators may not be familiar with it and often revert back to creating rules without application definition. Fixing these rules after the fact is hard to do without good data.

Using TFA with application awareness allows enterprises to improve their firewall policies and get more value out of their firewall purchases.

Dynamic Data Collection Matters

Continuing my traffic analogy, you could think of applications as another data point such as distinguishing between types of vehicles and understanding that truck traffic requires different rules than cars.

Some security management vendors only allow a user to collect data on a specific firewall rule. With Security Manager’s TFA, you can collect it across an entire firewall using a combination of source, destination, service or application as filters to the data collection. For street traffic, we can map the flow between any two points in a city or by types of vehicles, regardless of which intersection they move through. The scope of the analysis is massive.

Image - 800x500 - dynamic data collection.png

Imagine sensors at every single intersection in your daily commute, enabling a sort of “Intelligent City.” Using that same naming convention, FireMon enables “Intelligent Firewalls.” For example, say you were asked to evaluate all the traffic that is allowed into a PCI zone in your network. You could turn on TFA for the firewall protecting the PCI zone and monitor all traffic destined to networks in the PCI zone. Regardless of which rule is permitting the traffic, you can get a picture of exactly which hosts are communicating to servers in the PCI zone using which services (HTTP, SMTP, FTP, etc.).

Image - 800x500 - tfa.png

Large datasets have made generating a TFA reporting a very time consuming and system-intensive operation. Security Manager relieves that burden, returning results in seconds. It is an amazingly fast process for the complexity of the analysis.

This dynamic analysis of any traffic flow pattern across the entire device policy is unique to FireMon’s Security Manager platform and is made possible by our distributed, scalable architecture.

TFA for the Cloud

Moving to the cloud enables enterprise networks to exponentially support more devices, more rules and more log data. FireMon’s distributed, horizontal data architecture can reliably monitor, collect and analyze data in real time from large enterprise infrastructure, and can support over 1 million rules and thousands of devices in a single pane.

Just as the “Intelligent City” engineer must monitor traffic flows within the network, he must be able to monitor and analyze traffic coming to and from his city in the same manner with the same level of functionality and detail. With Security Manager, the unique functionality and scalability of TFA is seamlessly extended from on-premises networks to hybrid cloud networks.


Traffic Flow Analysis is essential to effectively understand the performance of a network. Just having TFA is not enough.

You need a TFA solution that uses application data to identify which applications are being used in a rule and between sources and destinations.

You need a TFA solution that allows you to take advantage of the full functionality of next-generation firewalls.

You need a TFA solution that dynamic analyzes any traffic flow pattern across the entire device policy.

You need a TFA solution that is scalable enough to support migration and expansion to a cloud environment.

To learn more, request a demo of FireMon’s Traffic Flow Analysis functionality >>