Can BigFix Map Server-to-Server Communications for Firewall Planning

Is there a capability in bigfix that would map out communications across servers? As we need something to assist with firewall planning for the datacenter migration.

What we exactly looking for is.

  1. Traffic between Servers - Ports & Services.
  2. Traffic inside & Outside of servers - ports and services.

I know BigFix does not map server-to-server communications or traffic flows, like a network monitoring or flow analysis tool. But Still wanted to check if somehow we can achieve it ?

You can use BigFix to map Local IP , Local port, Remote IP, Remote Port, State and Type of the Communication TCP / UDP - https://developer.bigfix.com/relevance/reference/socket.html

Keep in mind that relevance is only going to give you a snapshot in time depending on your frequency to report. It doesn’t really document what was captured in the last report. So, while it could show you persistent traffic that has established ports at that given moment that it reported, it would not show you what was established 10 minutes prior. I’m sure you COULD accomplish parts what what you are referring to using a combination of relevance and local tools like netstat in windows but you would have to have an action script execute the proper netstat command periodically and write it to text files then with relevance you could use lines of files to parse through the text file to gather the traffic history across multiple runs.

Here are most if not all of the properties you have under the sockets of network inspector object. You can play around with that and remove any properties that you don’t care about.

( (local address of it) as string | “n/a”,
(local port of it) as string | “n/a”,
(creation time of process of it) as string | “n/a”,
(dep enabled of process of it) as string | “n/a”,
(gdi object count of process of it) as string | “n/a”,
(handle count of process of it) as string | “n/a”,
(id of process of it) as string | “n/a”,
(image file of process of it) as string | “n/a”,
(io other count of process of it) as string | “n/a”,
(io other size of process of it) as string | “n/a”,
(io read count of process of it) as string | “n/a”,
(io read size of process of it) as string | “n/a”,
(io write count of process of it) as string | “n/a”,
(io write size of process of it) as string | “n/a”,
(kernel time of process of it) as string | “n/a”,
(name of process of it) as string | “n/a”,
(nx bit of process of it) as string | “n/a”,
(page fault count of process of it) as string | “n/a”,
(page file usage of process of it) as string | “n/a”,
(peak page file usage of process of it) as string | “n/a”,
(peak working set size of process of it) as string | “n/a”,
(pid of process of it) as string | “n/a”,
(ppid of process of it) as string | “n/a”,
(process id of process of it) as string | “n/a”,
(quota nonpaged pool usage of process of it) as string | “n/a”,
(quota paged pool usage of process of it) as string | “n/a”,
(quota peak nonpaged pool usage of process of it) as string | “n/a”,
(quota peak paged pool usage of process of it) as string | “n/a”,
(session id of process of it) as string | “n/a”,
(user object count of process of it) as string | “n/a”,
(user of process of it) as string | “n/a”,
(user time of process of it) as string | “n/a”,
(working set size of process of it) as string | “n/a”,
(wow64 of process of it) as string | “n/a”,
(remote address of it) as string | “n/a”,
(remote port of it) as string | “n/a”,
(tcp of it) as string | “n/a”,
(close wait of tcp state of it) as string | “n/a”,
(closed of tcp state of it) as string | “n/a”,
(closing of tcp state of it) as string | “n/a”,
(delete tcb of tcp state of it) as string | “n/a”,
(established of tcp state of it) as string | “n/a”,
(fin wait one of tcp state of it) as string | “n/a”,
(fin wait two of tcp state of it) as string | “n/a”,
(last ack of tcp state of it) as string | “n/a”,
(listening of tcp state of it) as string | “n/a”,
(syn received of tcp state of it) as string | “n/a”,
(syn sent of tcp state of it) as string | “n/a”,
(time wait of tcp state of it) as string | “n/a”,
(udp of it) as string | “n/a” )
of sockets of network

ALSO if you are trying to look at specific processes you can filter your query down to a specific process.

( (local address of it) as string | “n/a”,
(local port of it) as string | “n/a”,
(creation time of process of it) as string | “n/a”,
(dep enabled of process of it) as string | “n/a”,
(gdi object count of process of it) as string | “n/a”,
(handle count of process of it) as string | “n/a”,
(id of process of it) as string | “n/a”,
(image file of process of it) as string | “n/a”,
(io other count of process of it) as string | “n/a”,
(io other size of process of it) as string | “n/a”,
(io read count of process of it) as string | “n/a”,
(io read size of process of it) as string | “n/a”,
(io write count of process of it) as string | “n/a”,
(io write size of process of it) as string | “n/a”,
(kernel time of process of it) as string | “n/a”,
(name of process of it) as string | “n/a”,
(nx bit of process of it) as string | “n/a”,
(page fault count of process of it) as string | “n/a”,
(page file usage of process of it) as string | “n/a”,
(peak page file usage of process of it) as string | “n/a”,
(peak working set size of process of it) as string | “n/a”,
(pid of process of it) as string | “n/a”,
(ppid of process of it) as string | “n/a”,
(process id of process of it) as string | “n/a”,
(quota nonpaged pool usage of process of it) as string | “n/a”,
(quota paged pool usage of process of it) as string | “n/a”,
(quota peak nonpaged pool usage of process of it) as string | “n/a”,
(quota peak paged pool usage of process of it) as string | “n/a”,
(session id of process of it) as string | “n/a”,
(user object count of process of it) as string | “n/a”,
(user of process of it) as string | “n/a”,
(user time of process of it) as string | “n/a”,
(working set size of process of it) as string | “n/a”,
(wow64 of process of it) as string | “n/a”,
(remote address of it) as string | “n/a”,
(remote port of it) as string | “n/a”,
(tcp of it) as string | “n/a”,
(close wait of tcp state of it) as string | “n/a”,
(closed of tcp state of it) as string | “n/a”,
(closing of tcp state of it) as string | “n/a”,
(delete tcb of tcp state of it) as string | “n/a”,
(established of tcp state of it) as string | “n/a”,
(fin wait one of tcp state of it) as string | “n/a”,
(fin wait two of tcp state of it) as string | “n/a”,
(last ack of tcp state of it) as string | “n/a”,
(listening of tcp state of it) as string | “n/a”,
(syn received of tcp state of it) as string | “n/a”,
(syn sent of tcp state of it) as string | “n/a”,
(time wait of tcp state of it) as string | “n/a”,
(udp of it) as string | “n/a” )
of sockets whose (
name of process of it as lowercase contains “bes”
) of network

If you were going to do this I would honestly filter out as much standard OS specific traffic out to remove extra noise, but then you could export to a data analysis tool and match up Inbound and Outbound IP addresses to see which servers are communicating to each other to create links or dependencies.

Hi Jstev,

Thanks for your input, even I was thinking to fetch Listening Ports, Active Connections, Remote IPS, Port & Process Name via Powershell for Windows server and Using Bash for Linux server’s.

Though It wont be a real time like NetFlow, but I believe it will help.

Regards,
Jaspreet Singh