Blog :: Network Operations :: Security Operations

Cisco ASA v8.4(5) Supports Bidirectional NetFlow

This is a follow up to Michael Patterson’s blog last month regarding Cisco ASA v8.4(5) supports bidirectional NetFlow exports.

Our IPFIX and NetFlow Analyzer is the only NetFlow solution that supports the new bidirectional flows exported by the Cisco ASA.

This Cisco ASA update makes network traffic monitoring more accurate because the prior NetFlow export added the bytes between two hosts into one Octet Total Counter.

Meaning that previously, we couldn’t distinguish between the traffic sent from A to B or from B back to A.  By having two counters, we can now report on the difference.

Cisco ASA bidirectional flows

Some other good stuff:

Exporting ACL information in the Denied Flows templates.  Why is this important?

Because now you can not only track how many flows are denied, but if they violated an ACL, and which ACL!  Then with our Advanced NetFlow reporting solution, you can be alerted for excessive denied flows from your Cisco ASA.

Is your Network Address Translation (NAT) performed by your Cisco ASA?

If so, then with the ASA NSEL exports and our IPFIX and NetFlow reporting solution, you can display the address translations, showing the source and destination, post source and post destination IP addresses.  So once you have isolated an issue to a specific host address, you can then flip over to the Network Address Translation report and find out exactly who that address resolves to.

Now let’s talk about URLs.  Are you interested in reporting/analyzing which URLs are accessed and by who?

With a combination of exporting proxy data using IPFIXify, which gives us the URLs, and filtering on a host address, we can do just that for you.

See the example below.  I added the proxy to my report, then switched to see the URLs report.  Notice that the source filter for mikek-pc.plxr.local was carried over to the URLs report.

Cisco ASA NetFlow can report on URLs

This is a great example of adding additional contextual information around threats investigated on the Cisco ASA.  Who else in the company visited the same URL and may now also be infected?

If you are interested in getting this level of Advanced NetFlow reporting from your Cisco ASA, give us a call and we’ll show you how.