Have you upgraded your Cisco ASA to version 8.4(5) for the latest and greatest security features and NetFlow (NSEL) enhancements from Cisco Systems? Well, if you have, you may have noticed that the NetFlow reporting broke.  Have no fear, we fixed this issue in Scrutinizer version 10.1 which is being released in a couple of days.  But, WAIT! There’s more!

sysDescr:    Cisco Adaptive Security Appliance Version 8.4(5)

The Cisco ASA NetFlow team made several improvements to the flow export:

  • The bidirectional flows were fixed.  They now export both directions of the flow in separate elements which results in accurate in / out utilization trends.
  • Active Timeout was implemented.  Now the long lived flows (i.e. longer than 1 minute) are exported every minute which prevents spikes in the trends and results in more accurate reports.
  • The firewall event type is exported with a new element.  This resulted in a whole bunch of new reports on why flows are created, deleted or even denied. We also built a way to tie these events to the ACLs being violated. You can find out what hosts or protocols are being denied and why.  Very cool.
  • Network Address Translation – NAT reports.  These new reports allow users to find out what IP addresses were before and then after they were NAT’d.

Below you can see some of the new elements exported in the ASA 8.4(5) release.

Cisco ASA NetFlow Reporting

For those interested in taking their Cisco ASA syslog reporting to another level, the Flow Replicator acts as a gateway for Cisco ASA syslogs by converting them to IPFIX.  Once the Cisco ASA logs are in IPFIX format, Scrutinizer provides an interface to report on ASA logs and can even correlate the data with the NetFlow or NSEL from the Cisco ASA or other flow export for that matter.

The Flow Replicator acts as a syslog to IPFIX gateway for any log export.  What is even more important is that once we have the log into the database, we have engineered a way to aggregate and roll up the data for historical archiving and retrieval. Filtering on the data is intuitive and once you have narrowed in on exactly the events your company needs to monitor for, you can set thresholds that will trigger notifications.

Any log can now be exported with IPFIX, generally we can get it done in under a day or you can take one of our Advanced NetFlow Training classes and learn to do it yourself. In summary, if your company needs to monitor a syslog, event log or even a proprietary machine log format, we can do it.

 

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply