Cisco ASA v8.4(5) Supports Bidirectional NetFlow

Posted in cisco ASA, Network traffic monitoring on December 12th, 2012 by Joanne
Cisco ASA v8.4(5) Supports Bidirectional NetFlow

This is a follow up to Michael Patterson’s blog last month regarding Cisco ASA v8.4(5) supports bidirectional NetFlow exports.

Our IPFIX and NetFlow Analyzer is the only NetFlow solution that supports the new bidirectional flows exported by the Cisco ASA.

This Cisco ASA update makes network traffic monitoring more accurate because the prior NetFlow export added the bytes between two hosts into one Octet Total Counter.

Meaning that previously, we couldn’t distinguish between the traffic sent from A to B or from B back to A.  By having two counters, we can now report on the difference.

Cisco ASA bidirectional flows

Some other good stuff:

Exporting ACL information in the Denied Flows templates.  Why is this important?

Because now you can not only track how many flows are denied, but if they violated an ACL, and which ACL!  Then with our Advanced NetFlow reporting solution, you can be alerted for excessive denied flows from your Cisco ASA.

Is your Network Address Translation (NAT) performed by your Cisco ASA?

If so, then with the ASA NSEL exports and our IPFIX and NetFlow reporting solution, you can display the address translations, showing the source and destination, post source and post destination IP addresses.  So once you have isolated an issue to a specific host address, you can then flip over to the Network Address Translation report and find out exactly who that address resolves to.

Now let’s talk about URLs.  Are you interested in reporting/analyzing which URLs are accessed and by who?

With a combination of exporting proxy data using IPFIXify, which gives us the URLs, and filtering on a host address, we can do just that for you.

See the example below.  I added the proxy to my report, then switched to see the URLs report.  Notice that the source filter for mikek-pc.plxr.local was carried over to the URLs report.

Cisco ASA NetFlow can report on URLs

This is a great example of adding additional contextual information around threats investigated on the Cisco ASA.  Who else in the company visited the same URL and may now also be infected?

If you are interested in getting this level of Advanced NetFlow reporting from your Cisco ASA, give us a call and we’ll show you how.

 


Joanne Ghidoni
Sr. Solutions Engineer

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , ,

One Response to “Cisco ASA v8.4(5) Supports Bidirectional NetFlow”

  1. Cisco ASA NetFlow flow-export active-refresh interval Problems - NetFlow & sFlow Network Monitoring - NetFlowKnights.com Says:

    [...] to appreciate the numerous NetFlow Security Event Logging (NSEL) enhancements available in the Cisco ASA 8.4(5) NetFlow export you may be left disappointed after upgrading the ASA to version 8.5(1), 8.6(1), 8.7(1), [...]

Leave a Reply