Blog :: Network Operations :: Security Operations

Cisco ASA 8.4(5) NetFlow Support

Have you upgraded your Cisco ASA to version 8.4(5) for the latest and greatest security features and NetFlow (NSEL) enhancements from Cisco Systems? Well, if you have, you may have noticed that the NetFlow reporting broke.  Have no fear, we fixed this issue in Scrutinizer version 10.1 which is being released in a couple of days.  But, WAIT! There’s more!

sysDescr:    Cisco Adaptive Security Appliance Version 8.4(5)

The Cisco ASA NetFlow team made several improvements to the flow export:

  • The bidirectional flows were fixed.  They now export both directions of the flow in separate elements which results in accurate in / out utilization trends.
  • Active Timeout was implemented.  Now the long lived flows (i.e. longer than 1 minute) are exported every minute which prevents spikes in the trends and results in more accurate reports.
  • The firewall event type is exported with a new element.  This resulted in a whole bunch of new reports on why flows are created, deleted or even denied. We also built a way to tie these events to the ACLs being violated. You can find out what hosts or protocols are being denied and why.  Very cool.
  • Network Address Translation – NAT reports.  These new reports allow users to find out what IP addresses were before and then after they were NAT’d.

Below you can see some of the new elements exported in the ASA 8.4(5) release.

Cisco ASA NetFlow Reporting

For those interested in taking their Cisco ASA syslog reporting to another level, the Flow Replicator acts as a gateway for Cisco ASA syslogs by converting them to IPFIX.  Once the Cisco ASA logs are in IPFIX format, Scrutinizer provides an interface to report on ASA logs and can even correlate the data with the NetFlow or NSEL from the Cisco ASA or other flow export for that matter.

The Flow Replicator acts as a syslog to IPFIX gateway for any log export.  What is even more important is that once we have the log into the database, we have engineered a way to aggregate and roll up the data for historical archiving and retrieval. Filtering on the data is intuitive and once you have narrowed in on exactly the events your company needs to monitor for, you can set thresholds that will trigger notifications.

Any log can now be exported with IPFIX, generally we can get it done in under a day or you can take one of our Advanced NetFlow Training classes and learn to do it yourself. In summary, if your company needs to monitor a syslog, event log or even a proprietary machine log format, we can do it.