We have beefed up our Cisco ASA NSEL Reporting using of course NetFlow. NSEL = NetFlow Secure Event logging and ASA = Adaptive Security Appliances. What is interesting about Cisco ASA NSEL NetFlow is that according to the documentation we have, the NetFlow exports kick out several different templates. The most popular of which seem to be these:
- Extended: if the flow is torn down before the configured delay, the flow-create event is not sent; an extended flow teardown event is sent instead.
- Denied: flow was explicitly denied from being created in the first place. A Denied no XLATE event shows that the event was denied and no translation of the source and destination IP addresses and ports is done. This is typical when using NAT addresses.
- Flow Created: event is exported as soon as the flow is created
- Teardown: events indicate that an existing flow in the flow database of the appliance has ended. It could be due to “natural” causes (TCP: fin/fin-ack/ack, UDP: firewall times it out), or it could be a flow that has a problem detected midstream and the firewall shuts it off. The Teardown event will give you the total byte count (both inbound and outbound) for the entire flow in the octetTotalCounts field.
In the above templates, you will find several fields (NSEL NetFlow elements) that you may not see in IOS:
We created over a dozen new reports including some on NATed IP addresses. For example, ASA NSEL Username Report:
ASA NSEL Event Report:
Anyway, these reports are part of our Cisco Advanced Reporting module and should help with your network traffic analysis efforts. Call support if you need help configuring Cisco ASA NetFlow .