We have beefed up our Cisco ASA NSEL Reporting using of course NetFlow. NSEL = NetFlow Secure Event logging and ASA = Adaptive Security Appliances. What is interesting about Cisco ASA NSEL NetFlow is that according to the documentation we have, the NetFlow exports kick out several different templates. The most popular of which seem to be these:
- Extended: if the flow is torn down before the configured delay, the flow-create event is not sent; an extended flow teardown event is sent instead.
- Denied: flow was explicitly denied from being created in the first place. A Denied no XLATE event shows that the event was denied and no translation of the source and destination IP addresses and ports is done. This is typical when using NAT addresses.
- Flow Created: event is exported as soon as the flow is created
- Teardown: events indicate that an existing flow in the flow database of the appliance has ended. It could be due to “natural” causes (TCP: fin/fin-ack/ack, UDP: firewall times it out), or it could be a flow that has a problem detected midstream and the firewall shuts it off. The Teardown event will give you the total byte count (both inbound and outbound) for the entire flow in the octetTotalCounts field.
For a free 30 day trial of Scrutinizer, Download Now!
Sign up for Advanced NetFlow Training™ coming to a city near you!