When ASA events occur on the firewall devices such as allows and denials NetFlow Secure Events will be Logged. If the NetFlow NSEL is configured these events can be sent to the NetFlow Auditor Collector. PreRequisites
Please ensure you have a recent version of ASA IOS that supports NetFlow version 9 Secure Event Logging (NSEL). It is important that you use a version of the ASA operating system that correctly supports active refresh-interval (Cisco ASA v8.4(5) and v9.1(2)) otherwise you will experience false peaks. flow-export active refresh-interval:
The flow-export active refresh-interval command is equivalent to the command “ip flow-cache timeout active”. It controls how often flows are exported to the NetFlow Auditor collector.
* Only exists in Cisco ASA v8.4(5) and v9.1(2)
* Not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
For other Cisco ASA versions you have to wait for a conversation on the network to end before the flows are exported.
Therefore persistent tunnels on versions other than 8.4(5) or 9.1(2) would be problematic with reporting as the Cisco ASA NetFlow is not exported until the teardown of the tunnel.
In versions without this command the flows will generate false peaks as the flow data is only exported at once after the conversation has ended instead of exporting the flow data each minute.
ASA NetFlow export is dependent on the version of the ASA software installed. The following fields must be included in the ASA configuration to export flow data to the NetFlow Auditor.CLI Configuration
The following typical commands must be included in your global service policy for NetFlow export to function. (There may be variation between version)
(config)# flow-export destination inside [NetFlow Auditor IP] 2055
(config)# flow-export active refresh-interval 1
(config)# flow-export template timeout-rate 1
(config)# logging flow-export-syslogs disable
(config)# access-list flow_export_acl extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)# match access-list flow_export_acl
(config)# policy-map global_policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination [NetFlow Auditor IP]
(config)# service-policy flow_export_policy globalhttps://www.cisco.com/c/en/us/td/docs/se ... _nsel.htmlhttps://www.cisco.com/c/en/us/td/docs/se ... _nsel.htmlNetFlow Auditor
As long as there are no template mismatches NetFlow Auditor will automatically recognize the Cisco ASA flows and the Device will be present under Devices. After a minute the Cisco ASA option in the drop down menu will become available and data will be viewable using the ASA options under the Forensics Menu.
It is not recommended to send the flows via NetFlow and Syslog concurrently as this can put undue pressure of the Cisco ASA.