Yes, you can use NetFlow to monitor traffic and bandwidth usage on an ASA.
One of the primary uses for NetFlow on a Cisco ASA is as a transport protocol for security events. But if you are using the right NetFlow Analysis tool, you can also analyze traffic using NetFlow sent from the Cisco ASA.
This is really important as I have seen many companies that have remote sites that are connected with a Cisco ASA, but had no devices behind the ASA’s that supported NetFlow. This meant that they couldn’t leverage NetFlow to analyze traffic.
There is a caveat to the support of NetFlow on the ASA. NetFlow from a Cisco ASA is quite different from what other Cisco devices provide. It is called “Netflow Security Event Logging” or NSEL. In fact, ASA NetFlow was never intended to be used for realtime/live traffic analysis.
That being said, you need to keep the following facts in mind:
- You will not see the data 100% live. On most routers and switches you get flow statistics periodically while the flow is in progress. The NSEL monitoring sends a NetFlow data packet only after a connection has been torn down. If a connection is active for minutes or hours, the ASA sends one NetFlow packet with the total of the connection. This causes peaks when viewing traffic patterns in Scrutinizer’s reports.
- Flows on the ASA are bidirectional (all counters for a flow will increase for traffic flowing in and out)
- You will need a NetFlow collector/analysis tool, such as Scrutinizer, that has the ability to analyze ASA NetFlow data. Remember, NSEL utilizes Flexible NetFlow, and the data format is different from “normal” NetFlow v9 data.
Here is an example of Scrutinizer’s ability to show you the top conversations that took place during a specific period of time. Notice that the traffic pattern does indeed show peaks that you would not have seen if this was traffic from a standard NetFlow exporting device.
We’ve also documented the required configuration parameters for the ASA to enable NetFlow export.
For more information on ASA NetFlow, Take a Deeper look at NSEL.
May 29th, 2012 Cisco ASA UPDATE: New Cisco NSEL Reports in Scrutinizer v9. Check them out.