Although the Cisco ASA NetFlow exports have had some problems in the past, Cisco was the first vendor to export flows from a firewall so a few issues out of the gate are almost expected. Despite a few enigmas, it was still great to have and certainly better than nothing. In order to optimize the network for speed and reliability, IT professionals are always looking for more visibility into traffic. Therefore more information exported via NetFlow is always better.
Here are some of the most common NetFlow problems with the Cisco ASA NSEL export:
- Bidirectional flows require a different understanding as inbound flows includes some outbound traffic and vice versa.
- The template architecture is exciting, but different: Creation Flows, Teardown Flows, etc. contain duplicate entries and often result in inaccurate reports when combined in a NetFlow analyzer.
- No active timeout for long lived connections causes spikes in the trend
- No ACL Names
- No Extended Event Descriptions
After listening to its customer’s requests, Cisco released an updated firmware last year that allows the ASA exports to behave more like other firewalls that have since followed Cisco’s lead. Today, the bidirectional flows from the Cisco ASA behave as expected and there is an active timeout for long lived flows.
With the introduction of Cisco ASA 8.4(5) the following problems have been addressed:
- The bidirectional flows were fixed. They now export both directions of the flow in separate elements which results in accurate in / out utilization trends.
- Active Timeout was implemented. Now the long lived flows (i.e. longer than 1 minute) are exported every minute which prevents spikes in the trends and results in more accurate reports.
- The firewall event type is exported with a new element. This resulted in a whole bunch of new reports on why flows are created, deleted or even denied. We also built a way to tie these events to the ACLs being violated. You can find out what hosts or protocols are being denied and why.
- Network Address Translation – NAT reports. These new reports allow users to find out what IP addresses were before and then after they were NAT’d.
As you can see, Cisco has done a great job at improving the ASA NSEL reports. This information is very useful and it is impressive to see a large company like Cisco addressing issues its customers had.
How do you take advantage of the new ASA NSEL features? There are plenty of guides that go over the Cisco ASA NetFlow configuration; it is very easy to do and can help you manage a network more efficiently. A good NetFlow solution will give you end to end visibility unlike some other network traffic monitoring solutions. If you have any questions, feel free to leave a comment below.