Blog :: Configuration

Cisco Firepower FTD NetFlow configuration

scottr

I am often exposed to new network devices and the ways that they support and configure flow-monitoring technologies. So I was excited to learn this new Cisco Firepower Threat Defense NetFlow configuration.

This configuration uses all the same NSEL configuration commands that you would use on a Cisco ASA, in just about the same order as I described in this Cisco ASA configuration blog. The difference is that you are applying the commands using a GUI interface and not CLI.

Before we get started, there is some background information that you’ll need to be aware of.

As you navigate through the GUI, you will be asked to set parameters. The FlexConfig text objects are associated with variables used in the pre-defined FlexConfig objects.

There are four pre-defined FlexConfig objects within the Firepower Management Center and three pre-defined text objects. Pre-defined FlexConfig objects are read-only and cannot be modified.

To modify the FlexConfig parameters of NetFlow, the objects can be copied.

The four pre-defined objects and three text objects are listed in the table below:

FlexConfig objects

If you wanted to modify which event types get exported, you would need to make a copy of the FlexConfig object Netflow_Set_Parameters, change the parameter count from default 1 (ALL events) to the number of events that you are going to export. Then you would bump the parameter count and add the event lines. 

Step 1: Create an access rule defining the traffic that you want to monitor

Navigate to Objects > FlexConfig > Text Objects. Edit the netflow_Destination object.

Here you’ll define the NetFlow collector IP address, the UDP port and the source interface used to export the flows. This is where we find a major change in the NSEL configuration. Where there’s multiple variable types available, you must set a counter for the number of variables that are going to be used.

In this case, we set the parameter count to 3. Then we set the interface name, destination IP address, and port parameters to match the collector.

In this configuration example, the interface is “DMZ,” the NetFlow Collector’s IP address is 10.20.20.1, and the UDP port is 2055.

Configuration example

Step 2: Configure an access rule that defines the traffic that you want monitored with NSEL

Navigate to Objects > Object Management and in the left menu under Access List, select Extended. Click Add Extended Access List.

In the Name field, input flow_export_acl. Click the Add button.

You can configure the Access Control entries to match all or specific traffic.

I usually just specify to monitor all traffic, but there are options to set for specific devices or applications.

In this example, traffic from host 10.10.10.1 to any destination and traffic between host 172.16.0.20 and 192.168.1.20 is excluded. All other traffic is included.

Excluding and including traffic

Step 3: Assign the newly created access rule to a class-map

This is where we start seeing a combination of GUI and CLI directives.

To configure the FlexConfig Objects, navigate to Objects > FlexConfig > FlexConfig Objects and click the Add FlexConfig Object button.

Define the class map that identifies the traffic that NetFlow events need to be exported for. In this example, the name of the object is flow_export_class.

Select the Access List created in Step 2. Click on Insert > Insert Policy Object > Extended ACL Object and assign a name. Then click on Add button.

In this example, the name of the variable is flow_export_acl. Click Save.

Adding an extended ACL object

Add the next configuration lines in the blank right-hand field and include the variable previously defined ($flow_export_acl) in the match access-list configuration line.

Note that a $ symbol is prepended to the variable name.

class-map flow_export_class
match access-list $flow_export_acl
Edit FlexConfig object

Click on Save when finished.

Step 4: Assign your new class-map to your global policy and configure the export destination parameters to set what event types are exported

This is the first place where you need to make a copy of a FlexConfig object in order to edit in variables.

To configure the NetFlow Destination, navigate to Objects > FlexConfig > FlexConfig Objects and filter by NetFlow. Copy the object Netflow_Add_Destination. The Netflow_Add_Destination_Copy is created.

Assign the class created in Step 3 to the global policy map. 

In this example, the class is inserted in the existing policy (global policy).

Assigning the class to the global policy map

Step 5: Verify and assign the FlexConfig Policy to the FTD

Navigate to Devices > FlexConfig and create a new policy (unless there is already one created for another purpose and assigned to the same FTD).

In this example, the default NetFlow export parameters are used, therefore, the Netflow_Set_Parameters is selected. The set parameters are where you define timeouts.

By default, the timeout variables are set 30 minutes for template timeout, 1 minute for active refresh, and 0-second delay for Create events.

FlexConfig policy

I recommend making a copy of this Netflow_Set_Parameter object and setting these values to 1 minute for template timeout, 1 minute for active refresh, and 15 seconds for delay create event.

Save the changes and deploy.

You should now be exporting flows to the collector. Do you know what conversations are coming in and going out of your network? Gain valuable insight into your network traffic by deploying our NDR solution and using NetFlow exported from your Cisco FTD firewall to provide invaluable insight for application and user security monitoring.