Setting up Cisco NetFlow security event logging for Cisco ASA

Posted in NetFlow, NetFlow Analyzer on June 2nd, 2009 by mike@plixer.com
 Setting up Cisco NetFlow security event logging for Cisco ASA

I’m working with a customer’s Cisco ASA device and we are exporting NetFlow v9 to Scrutinizer to do some Cisco NetFlow traffic analysis. Fun stuff, but NetFlow Security Event Logging or NetFlow Event Logs isn’t just about traffic in and out of an interface. Some of the exports are more like syslogs. Up to 18 messages can be placed into a single NetFlow v9 packet.

Interested in trying it?

For those of you interested in ASA netflow I believe it is offered standard  on any code revision with the ASA 5580 series, on any lower numbered ASA models you will need ASA 8.2.x code to enable the feature.  Someone please tell me if this is incorrect.

Wireshark didn’t decode it
Hopefully someone at Cisco is working on the decodes for Wireshark.

ciscoasawiresharkMaybe I’ll bring it up at Wireshark Sharkfest in Palo Alto, Calif. next month! Yeeee HAAAAAA. I hope to see some of you there.

This isn’t your typical NetFlow
Three event types can trigger a NetFlow record.
* flow-create
* flow-denied
* flow-teardown

Of course a NetFlow collector IP address has to be entered into the ASA appliance, along with a a few other commands, for it to send flow records. Use the Modular Policy Framework to customize the details of NetFlow functionality.

Enabling NetFlow on the ASA

You will also need to define a Service policy pointing the flow data to the analyzer server. The below assumes your ASA is still using the default global policy.

policy-map global_policy
class class-default
flow-export event-type all destination x.x.x.x

The above is CLI, but NetFlow can be configured in the Cisco ASDM GUI by clicking:

  • Configuration-Firewall->Service Policy Rules.
  • Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.

ciscoAsa

Cisco ASA NetFlow commands for specific Events
Example: Log Flow Creation events between hosts 10.1.1.1 and 10.2.2.2
The Internal NetFlow Collector server is 192.168.100.1

ASA (config)#  flow-export destination inside 192.168.100.1 2055
ASA (config)# flow template timeout-rate 1
ASA (config)# access-list flow_export_acl permit ip host 10.1.1.1 host 10.2.2.2
ASA (config)# class-map flow_export_class
ASA (config-cmap)# match access-list flow_export_acl
ASA (config)# policy-map flow_export_policy
ASA (config-pmap)# class flow_export_class
ASA (config-pmap-c)# flow-export event-type flow-creation destination 192.168.100.1

Configuring NetFlow

This page was very helpful to determine the above configuration commands for NetFlow on the ASA 5580 using ASDM.

Displaying the NetFlow

Navigate to the graphical trends as shown below in the Status tab of Scrutinizer v7.

asaTemplates

 

 asaTrend


Limitation in v7

  • Displays data in 1 minute intervals only as roll ups were not completed in time for the release.  Up to 5 hours in 1 minute intervals can be displayed by using the ‘Auto’ interval option.
  • Interfaces do not show up in the Status tab. You must navigate to the templates as outlined above.
  • This is fixed in the next release.

May 9th, 2012 UPDATE:  New Cisco NSEL Reports in Scrutinizer v9.  Check them out.

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , , , ,

29 Responses to “Setting up Cisco NetFlow security event logging for Cisco ASA”

  1. NetFlow Security Event Logging with the Cisco ASA - NetFlow … Says:

    [...] Original post:  NetFlow Security Event Logging with the Cisco ASA – NetFlow … [...]

  2. Wireshark needs templates to decipher NetFlow v9 - NetFlow & sFlow Network Monitoring - Systrax Blog Says:

    [...] got what I was hoping to be a great packet capture from a Cisco ASA device exporting NetFlow v9. Oh, but you know how it goes in IT sometimes…it’s seldom a simple [...]

  3. Cisco ASA NetFlow Packet Capture Wanted - NetFlow & sFlow Network Monitoring - Systrax Blog Says:

    [...] of the NetFlow v9 coming from a Cisco ASA device.    I have a small capture I used in one of my prior blogs on this topic, but the packet capture is too short.  If possible, we need a 5-10 minute capture so that our [...]

  4. Cisco ASA 5505: Talk about NetFlow Templates! - NetFlow & sFlow Network Monitoring - Systrax Blog Says:

    [...] you want to try this with your ASA hardware, here is a page to help you find the necessary enable ASA NetFlow commands . Michael Patterson Scrutinizer Product Manager Follow Me on Twitter Share and [...]

  5. Chris Says:

    The configuration is the same on the 5580 as well as all models of ASA including the 5510, 5520, 5540, and 5550 if ASA 8.2.x code installed. As mentioned earlier in the blog netflow is not supported on the latter ASA models with 8.0.x installed.

  6. Mike Patterson Says:

    Scrutinizer v7.0 has been released. It now supports NSEL from the Cisco ASA firewalls. very cool! call us if you need help setting it up.

  7. Plixer releases Scrutinizer v7 NetFlow, sFlow Analyzer - NetFlow & sFlow Network Monitoring - Systrax Blog Says:

    [...] (NetFlow Security Event Logs) for Cisco ASA [...]

  8. The low down on Cisco ASA’s NetFlow - NetFlow & sFlow Network Monitoring - Systrax Blog Says:

    [...] Template refresh records can only be sent based on time intervals, not based on number of data records. (Learn how to configure your ASA template intervals) [...]

  9. NetFlow Detective – Hidden behind a wall - NetFlow & sFlow Network Monitoring - Systrax Blog Says:

    [...] spent the rest of the afternoon installing and configuring Scrutinizer 7.0, and setting up NetFlow on the ASA. We then created a custom report that would tell us of any YouTube [...]

  10. Cisco ASA and NetFlow Reporting Video - NetFlow & sFlow Network Monitoring - Systrax Blog Says:

    [...] can find help on configuring the ASA to send NetFlow here. Michael Patterson Scrutinizer Product Manager Follow Me on Twitter Share and [...]

  11. mike@plixer.com Says:

    I posted a video on reporting on the ASA: http://www.plixer.com/blog/netflow/cisco-asa-and-netflow-reporting-video/#more-6020

  12. Setting up the ASA to export NetFlow using Cisco ASDM 6.2 - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] report can be very interesting as you see data often left out in some reporting tools.  Read about some limitations when Scrutinizer reports on NetFlow from the ASA at the bottom of this [...]

  13. What is NSEL? A Deeper Look – Part 1 - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] When Cisco launched the release of ASA software v8.2, there was a LOT of excitement. Finally, Cisco had included NetFlow support for another key device in everyone’s network. Naturally, everyone ran around looking for the latest configs to enable NetFlow for the ASA. [...]

  14. mike@plixer.com Says:

    We have been getting a few calls with questions on the uniqueness of the NetFlows exported by the Cisco ASA. Check out this PDF:
    http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

  15. What is NSEL? A Deeper Look – Part 2 - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] A few months ago Nathan invited us to take a deeper look at NSEL. NSEL is the NetFlow exported from an ASA Firewall. He showed us how to enable and configure ASA for NetFlow. [...]

  16. NetFlow on an ASA « mitchellaneous Says:

    [...] looks like Cisco has included NetFlow in ASA 5005/5510/etc from firmware version 8.2 onwards. This opens up a whole can of worms now because we can monitor [...]

  17. T4K Says:

    All my status lights are green but Im not getting any flows, when I drill down into the Flow templates I get “there are no templates currently exporting data for this device”

    :/

  18. T4K Says:

    Ok , I logged onto ASDM and fount there was another policy called Global_policy, I removed it and left the default one and now I have Flow templates !!

  19. T4K Says:

    ok I am getting alot of columns
    but no graphs…

  20. T4K Says:

    ok found graphs, its all a bit awkward for my liking atm….

  21. Mike Patterson Says:

    call our team if you need any help. did you see the video on the ASA?
    http://www.systrax.com/webcasts.php

  22. Bidirectional NetFlow or NetFlow Stitching: Implementing RFC 5103 - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] is the only vendor we have seen implement this according to RFC 5103. Bidirectional flows from the Cisco ASA NetFlow export are not RFC 5103 compliant and have generally led to [...]

  23. ccna exam answers Says:

    ccna exam answers…

    [...]Setting up Cisco NetFlow security event logging for Cisco ASA – NetFlow & sFlow Network Monitoring – Systrax[...]…

  24. Cisco ASA NetFlow: Configuration - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] Our Product Manager, Michael Patterson, has written a great guide on how to configure NetFlow on the ASA from command line. [...]

  25. Webinar! Cisco ASA NetFlow support in Scrutinizer and other new features - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] that offers full support for the NetFlow being exported from ASA hardware. If you have a need to configure the Cisco ASA firewall to export NetFlow and aren’t sure where to begin, then you have come to the right [...]

  26. wahid Says:

    Hi,

    I have setup my asa for to export netflow, but while i want to start flow-capture it says “Netflow is not detected on the selected interface”

    wat can be the issue ????

  27. tomp@plixer.com Says:

    Can you show me the NetFlow portion of the config? Did you apply the flow class to the global policy?

    - Tom

  28. Best of the Best – NetFlow Blogs - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] configurations for: Catalyst 6509 2810 Procurve ASA 5500 (CLI, ASDM) Cisco 7600 [...]

  29. Cisco ASA NetFlow flow-export active-refresh interval Problems - NetFlow & sFlow Network Monitoring - NetFlowKnights.com Says:

    [...] is the only vendor we have seen implement this according to RFC 5103. Bidirectional flows from the Cisco ASA NetFlow export are not RFC 5103 compliant and have generally led to confusion. Without Cisco ASA 8.4(5) [...]

Leave a Reply