A few months ago Nathan invited us to take a deeper look at NSEL. NSEL is the NetFlow exported from an ASA Firewall. He showed us how to enable and configure ASA for NetFlow.

Traditional NetFlow records upstream and downstream traffic between two end points as two different flows. In the case of an ASA device, most bidirectional flows are already assembled internally and are considered a single flow. So the flow records reported by NetFlow on an ASA Firewall will describe both directions of the flow.

Today I am going to do brief overview of what each of the templates is telling us.

When you configure an ASA for NetFlow export, you are choosing which events you want to monitor via your NetFlow collector. Currently, there are three types of events that we monitor:

  • Flow Create
  • Flow Denied
  • Flow Teardown

Flow Create events indicate that a flow has been created by the ASA device. This event is a log of flows that ASA has allowed. The data records will explicitly call out the Source and Destination of the connection and this information can be used to determine the direction of the flow. The octetTotalCounts field in the flow record shows just how many bytes have been passed through in the first packet(s) that create the flow. There should not be very many bytes in any of the flow creation records.

Flow Denied simply means that the flow was explicitly denied from being created in the first place. You may see two types of denied events. A Denied no XLATE event shows that the event was denied and no translation of the source and destination IP addresses and ports is done. This is typical when using NAT addresses.

Flow Teardown events indicate that an existing flow in the flow database of the appliance has ended. It could be due to “natural” causes (TCP: fin/fin-ack/ack, UDP: firewall times it out), or it could be a flow that has a problem detected midstream and the firewall shuts it off. The Teardown event will give you the total byte count (both inbound and outbound) for the entire flow in the octetTotalCounts field.

Using our NetFlow and sFlow Analysis tool you can display the NetFlow by clicking on the word ‘Graph’ when viewing the NetFlow Templates. Here is how Scrutinizer v7 displays the templates:

Show Flow Templates form Device Explorer

Access to the raw flow data is also possible on ALL of the templates by clicking on “Flow View”.  Flow View displays all the fields included in the template:

Flow View of a Flow Create Template

From within the Flow View window you have the ability to search on selected fields. In the above flow template, you could search on a particular user name to analyze traffic for that user.

The interest in collecting NetFlow from ASA Firewalls has become a very hot topic in recent months. And at Plixer we have developed our NetFlow and sFlow Analysis tool to handle it all.

Scott Robertson author pic

Scott

Scott provides Pre Sales Technical Support to the Sales team at Plixer. Scott comes from a technical support background, having years of experience doing everything from customer account management to system programming. Some of his interests include coaching youth sports programs here in Sanford, playing drums and guitar in local jam bands, and playing in neighborhood lawn dart tournaments.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply