I’m working with a customer’s Cisco ASA device and we are exporting NetFlow v9 to Scrutinizer to do some Cisco NetFlow traffic analysis. Fun stuff, but NetFlow Security Event Logging or NetFlow Event Logs isn’t just about traffic in and out of an interface. Some of the exports are more like syslogs. Up to 18 messages can be placed into a single NetFlow v9 packet.

Interested in trying it?

For those of you interested in ASA netflow I believe it is offered standard  on any code revision with the ASA 5580 series, on any lower numbered ASA models you will need ASA 8.2.x code to enable the feature.  Someone please tell me if this is incorrect.

Wireshark didn’t decode it
Hopefully someone at Cisco is working on the decodes for Wireshark.

ciscoasawiresharkMaybe I’ll bring it up at Wireshark Sharkfest in Palo Alto, Calif. next month! Yeeee HAAAAAA. I hope to see some of you there.

This isn’t your typical NetFlow
Three event types can trigger a NetFlow record.
* flow-create
* flow-denied
* flow-teardown

Of course a NetFlow collector IP address has to be entered into the ASA appliance, along with a a few other commands, for it to send flow records. Use the Modular Policy Framework to customize the details of NetFlow functionality.

Enabling NetFlow on the ASA

You will also need to define a Service policy pointing the flow data to the analyzer server. The below assumes your ASA is still using the default global policy.

policy-map global_policy
class class-default
flow-export event-type all destination x.x.x.x

The above is CLI, but NetFlow can be configured in the Cisco ASDM GUI by clicking:

  • Configuration-Firewall->Service Policy Rules.
  • Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.


Cisco ASA NetFlow commands for specific Events
Example: Log Flow Creation events between hosts and
The Internal NetFlow Collector server is

ASA (config)#  flow-export destination inside 2055
ASA (config)# flow template timeout-rate 1
ASA (config)# access-list flow_export_acl permit ip host host
ASA (config)# class-map flow_export_class
ASA (config-cmap)# match access-list flow_export_acl
ASA (config)# policy-map flow_export_policy
ASA (config-pmap)# class flow_export_class
ASA (config-pmap-c)# flow-export event-type flow-creation destination

Displaying the NetFlow

Navigate to the graphical trends as shown below in the Status tab of Scrutinizer v7.



Limitation in v7

  • Displays data in 1 minute intervals only as roll ups were not completed in time for the release.  Up to 5 hours in 1 minute intervals can be displayed by using the ‘Auto’ interval option.
  • Interfaces do not show up in the Status tab. You must navigate to the templates as outlined above.
  • This is fixed in the next release.

May 9th, 2012 UPDATE:  New Cisco NSEL Reports in Scrutinizer v9.  Check them out.


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Leave a Reply

Your email address will not be published.