In this blog I will go over Cisco ASA NetFlow reporting and how it has changed in V8.4.7+/9.1.4.1+. If you have a Cisco ASA on your network, and you’ve used it to monitor NetFlow, you may have noticed some strange results on some of your reports. I’m hoping this blog will shed some light on these issues we’ve faced, in earlier versions of the ASA, as well as the changes that have been introduced to make reporting more accurate. If you are interested in learning more about the Cisco ASA NetFlow implementation read more below.

Cisco ASA NetFlow Events:Cisco ASA NSEL

As you probably know, the Cisco ASA firewall sends different NSEL events in the NetFlow data. This allows us to find out exactly why the flow was exported to our NetFlow monitoring tool. In older versions of the ASA, flows were only ever exported when the flow ended. This may seem fine, but let me give you an example. You are downloading a Linux ISO that is 700MBs and this download took 5 minutes to complete. What you are
going to see in your NetFlow tool will look as if the entire download took place in a 1 minute time-frame since the flow was sent when the conversation ended. This will cause bandwidth utilization to go well beyond 100% which, even though we know this isn’t possible, can still cause quite the alarm.

NetFlow Support

Cisco ASA NSEL:

Thankfully Cisco has added the ability to send a flow update event. This is similar to how Cisco IOS devices send the NetFlow data. It allows the device to send the flow data for active connections at a regular interval (I recommend 1 minute), which in turn allows your NetFlow monitoring tool to be able to interpret and report on this data very accurately.You can see in the image to the right that my NetFlow monitoring tool even allows me to filter on certain Cisco ASA firewall events.  To enable this on your Cisco ASA you simply apply the following to your ASA configuration:

Cisco ASA (config)# flow-export active refresh-interval 1

This allows the ASA to send all of your NetFlow data to a collector every minute (not only when a flow ends). In turn this allows you to accurately report on usage statistics, which would have otherwise been inaccurate. If you are familiar with our blogs, then you probably have seen most of the issues we’ve seen through the years regarding Cisco ASA NetFlow; what do you expect from the first firewall to export NetFlow! I was pretty excited when I heard that they had fixed this issue (and I’m sure a lot of customers are too). If you have any issues with your Cisco ASA or need any help getting it to export NetFlow feel free to reach out to us in support!

Jake Bergeron author pic

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related

Leave a Reply