When Cisco launched the release of ASA software v8.2, there was a LOT of excitement. Finally, Cisco had included NetFlow support for another key device in everyone’s network. Naturally, everyone ran around looking for the latest configs to enable NetFlow for the ASA.
However, once NetFlow collectors got their hands on those ASA NetFlow records, we all saw some really strange results.
A couple of months ago, we had asked our customers to help us in finding some answers. With the assistance of Wireshark, we collected a plethora of data to make sense of this puzzle.
After diligent study, we finally had some answers…
This feature of NetFlow export from the ASA firewall is classified as NSEL.
NetFlow Security Event Logging
The purpose of NSEL is to track firewall events via NetFlow and to have a summary of all conversations associated with that event type.
So when you configure an ASA for NetFlow export, you are choosing which events you want to monitor via your NetFlow collector. Currently, there are three Event types to monitor:
- Flow Create
- Flow Denied
- Flow Teardown
Unlike each router exporting NetFlow v9; when monitoring event types for your ASA, there are multiple unique templates that could be exported for that event. For example, with the FLOW CREATE event, there are four possible templates that could be exported.
Two templates are associated with the use of IPv4 addresses. Two are associated with IPv6.
With all three Event types combined, there are up to seventeen unique templates for your collector to manage!
But as hinted to earlier, though these templates follow a general NetFlow v9 format, some march to the beat of their own drum…
But we’ll save that for part 2.