Cisco ASA NetFlow Support – NetFlow Security Event Logging – NSEL

NetFlow is a protocol initially developed by Cisco but it is also supported on many other network devices. NetFlow’s purpose is to collect IP traffic information and send the collected records to a NetFlow Collector server or NetFlow Analyzer. NetFlow is useful for administrators to have an inside-view to the traffic passing through the network and collect information about bandwidth usage, type of traffic, traffic volume etc.

Only Cisco IOS Routers were supporting NetFlow in the past. Regarding Cisco ASA, NetFlow was only supported on Cisco ASA 5580 with software version 8.1. With the introduction of Cisco ASA software version 8.2, NetFlow is now supported on ALL ASA Models. This new feature on ASA is called NetFlow Security Event Logging (NSEL) which is an adaptation of NetFlow version 9.

Configuring NetFlow on Cisco ASA:

 There are three event types that trigger the creation of a NetFlow record. These are flow-create, flow-denied, flow-teardown. You can use all as well to trigger a netflow record for all events. You need to define a netflow collector IP address to which the ASA appliance will send flow records. You can use the Modular Policy Framework to customize the details of NetFlow functionality.

Example: Log Flow Creation events between hosts 10.1.1.1 and 10.2.2.2

The Internal NetFlow Collector server is 192.168.100.1

 
ASA (config)#  flow-export destination inside 192.168.100.1 2055

ASA (config)# access-list flow_export_acl permit ip host 10.1.1.1 host 10.2.2.2

ASA (config)# class-map flow_export_class
ASA (config-cmap)# match access-list flow_export_acl

ASA (config)# policy-map flow_export_policy
ASA (config-pmap)# class flow_export_class
ASA (config-pmap-c)# flow-export event-type flow-creation destination 192.168.100.1

! You can use also event-type all to trigger records for all flow events

ASA (config)# service-policy flow_export_policy global 

! Disable Logging for flow export events for performance increase
ASA (config)# logging flow-export syslogs disable

Related posts:

  1. Using Interfaces with same security levels on Cisco ASA
  2. Cisco ASA IKEv1 and IKEv2 Support for IPSEC
  3. Cisco ASA 5500 Dual ISP Connection
  4. Using the Management Interface of the Cisco ASA Firewall
  5. Cisco ASA QoS for VoIP Traffic
  6. Series of Steps to Forward a packet in a Cisco ASA Firewall
  7. Restricting DMZ server access with time based ACL on ASA


Comments (5)    Posted in Cisco Firewalls    

Subscribe RSS 2.0 feed. Leave a response, or Trackback from your own site.




5 Responses to 'Cisco ASA NetFlow Support – NetFlow Security Event Logging – NSEL'

  1. NetFlow Security Event Logging with the Cisco ASA - NetFlow & sFlow Network Monitoring - Systrax Blog - June 2nd, 2009 at 8:42 am

    [...] This page was very helpful to determine the above configuration commands for NetFlow on the ASA 5580. [...]

  2. John G - June 11th, 2009 at 12:03 am

    I can’t seem to find any product that analyses NSEL packets. I know the guys at Plixer is busy working on it. Netflow Analyzer doesn’t do it either. It seems that only the Cisco MARS is capable.

  3. Daniel Craig - August 4th, 2009 at 3:59 am

    Hey, I was looking around for a while searching for security event and I happened upon this site and your post regarding SA NetFlow Support – NetFlow Security Event Logging – NSEL | CiscoTips, I will definitely this to my security event bookmarks!

  4. Birima - November 15th, 2009 at 10:49 pm

    Try Solarwinds Netflow Analyzer

  5. PigBear - January 14th, 2010 at 5:30 pm

    OpManager’s NetFlow Analyzer is free for up to two interfaces and will process Netflow with nice graphs, DNS resolution of the hosts sending/receiving.


Leave a Reply

cisco asa firewall ebook

Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus

CLICK HERE TO DOWNLOAD EBOOKS

Sponsored Links