This is a follow up to Michael Patterson’s blog last month regarding Cisco ASA v8.4(5) supports bidirectional NetFlow exports.

Our IPFIX and NetFlow Analyzer is the only NetFlow solution that supports the new bidirectional flows exported by the Cisco ASA.

This Cisco ASA update makes network traffic monitoring more accurate because the prior NetFlow export added the bytes between two hosts into one Octet Total Counter.

Meaning that previously, we couldn’t distinguish between the traffic sent from A to B or from B back to A.  By having two counters, we can now report on the difference.

Cisco ASA bidirectional flows

Some other good stuff:

Exporting ACL information in the Denied Flows templates.  Why is this important?

Because now you can not only track how many flows are denied, but if they violated an ACL, and which ACL!  Then with our Advanced NetFlow reporting solution, you can be alerted for excessive denied flows from your Cisco ASA.

Is your Network Address Translation (NAT) performed by your Cisco ASA?

If so, then with the ASA NSEL exports and our IPFIX and NetFlow reporting solution, you can display the address translations, showing the source and destination, post source and post destination IP addresses.  So once you have isolated an issue to a specific host address, you can then flip over to the Network Address Translation report and find out exactly who that address resolves to.

Now let’s talk about URLs.  Are you interested in reporting/analyzing which URLs are accessed and by who?

With a combination of exporting proxy data using IPFIXify, which gives us the URLs, and filtering on a host address, we can do just that for you.

See the example below.  I added the proxy to my report, then switched to see the URLs report.  Notice that the source filter for mikek-pc.plxr.local was carried over to the URLs report.

Cisco ASA NetFlow can report on URLs

This is a great example of adding additional contextual information around threats investigated on the Cisco ASA.  Who else in the company visited the same URL and may now also be infected?

If you are interested in getting this level of Advanced NetFlow reporting from your Cisco ASA, give us a call and we’ll show you how.


Joanne Ghidoni author pic

Joanne Ghidoni

Joanne is a Software Quality Assurance Engineer at Plixer. She has also held positions as Technical Support Engineer and Sales Engineer since joining Plixer in 2005. Prior to joining Plixer, Joanne has had numerous positions in the IT field, including data entry, computer operator, PC coordinator and support, mainframe programmer, and also Technical Support and web programmer at Cabletron Systems. In her spare time, Joanne enjoys traveling, always seeking out new and interesting places to visit.


Leave a Reply