Networks Training

You are here: Home / Cisco ASA Firewall Configuration / Cisco ASA NetFlow Support – NetFlow Security Event Logging – NSEL

Cisco ASA NetFlow Support – NetFlow Security Event Logging – NSEL

Written By

NetFlow is a protocol initially developed by Cisco but it is also supported on many other network devices.

NetFlow’s purpose is to collect IP traffic information and send the collected records to a NetFlow Collector server or NetFlow Analyzer.

NetFlow is useful for administrators to have an inside-view to the traffic passing through the network and collect information about bandwidth usage, type of traffic, traffic volume etc.

Only Cisco IOS Routers were supporting NetFlow in the past. Regarding Cisco ASA, NetFlow was only supported on Cisco ASA 5580 with software version 8.1.

With the introduction of Cisco ASA software version 8.2, NetFlow is now supported on ALL ASA Models. This new feature on ASA is called NetFlow Security Event Logging (NSEL) which is an adaptation of NetFlow version 9.

Configuring NetFlow on Cisco ASA:

 There are three event types that trigger the creation of a NetFlow record. These are flow-create, flow-denied, flow-teardown.

You can use all as well to trigger a netflow record for all events. You need to define a netflow collector IP address to which the ASA appliance will send flow records. You can use the Modular Policy Framework to customize the details of NetFlow functionality.

MORE READING:  Cisco ASA and DNSSEC-Probable Issue with Packet Size

Example: Log Flow Creation events between hosts 10.1.1.1 and 10.2.2.2

The Internal NetFlow Collector server is 192.168.100.1

ASA (config)#  flow-export destination inside 192.168.100.1 2055

ASA (config)# access-list flow_export_acl permit ip host 10.1.1.1 host 10.2.2.2

ASA (config)# class-map flow_export_class
ASA (config-cmap)# match access-list flow_export_acl

ASA (config)# policy-map flow_export_policy
ASA (config-pmap)# class flow_export_class
ASA (config-pmap-c)# flow-export event-type flow-creation destination 192.168.100.1

! You can use also event-type all to trigger records for all flow events

ASA (config)# service-policy flow_export_policy global 

! Disable Logging for flow export events for performance increase
ASA (config)# logging flow-export syslogs disable

Related Posts

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. John G says

    I can’t seem to find any product that analyses NSEL packets. I know the guys at Plixer is busy working on it. Netflow Analyzer doesn’t do it either. It seems that only the Cisco MARS is capable.

  2. Daniel Craig says

    Hey, I was looking around for a while searching for security event and I happened upon this site and your post regarding SA NetFlow Support – NetFlow Security Event Logging – NSEL | CiscoTips, I will definitely this to my security event bookmarks!

  4. PigBear says

    OpManager’s NetFlow Analyzer is free for up to two interfaces and will process Netflow with nice graphs, DNS resolution of the hosts sending/receiving.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx