Saturday, March 13, 2021

Configuring NetFlow (NSEL) in a Cisco ASA Firewall

Here's a nice Cisco link for configuring NetFlow Secure Event Logging (NSEL) in a Cisco ASA Firewall. The Cisco ASA supports NetFlow version 9.

ciscoasa# configure terminal

ciscoasa(config)# flow-export ?

configure mode commands/options:
  active       Configure Netflow parameters for active connections
  delay        Configure delay for exporting NetFlow events
  destination  Configure a destination to which NetFlow records will be sent
  enable       Enable the export of flow information through NetFlow
               (deprecated)
  template     Specify the template specific configurations
ciscoasa(config)# flow-export destination ?

configure mode commands/options:
Current available interface(s):
  inside       Name of interface GigabitEthernet0/1
  outside      Name of interface GigabitEthernet0/0
ciscoasa(config)# flow-export destination inside ?

configure mode commands/options:
  Hostname or A.B.C.D  Destination IP address or name
ciscoasa(config)# flow-export destination inside 192.168.1.6 ?

configure mode commands/options:
  <1-65535>  UDP port number
ciscoasa(config)# flow-export destination inside 192.168.1.6 2055

ciscoasa(config)# flow-export template ?

configure mode commands/options:
  timeout-rate  Specify the time before templates are resent
ciscoasa(config)# flow-export template timeout-rate ?

configure mode commands/options:
  <1-3600>  Timeout in minutes (default 30 minutes)
ciscoasa(config)# flow-export template timeout-rate 5   // DEFAULT IS 30 MINS

ciscoasa(config)# flow-export delay ?

configure mode commands/options:
  flow-create  Specify delay after which flow creation event will be exported
ciscoasa(config)# flow-export delay flow-create ?

configure mode commands/options:
  <1-180>  Delay in seconds
ciscoasa(config)# flow-export delay flow-create 60

WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation event.    // JUST A WARNING FOR 5 SECOND DIFFERENCE WITH flow-export active refresh-interval VALUE

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)#  class class-default   // MATCH ALL TRAFFIC
ciscoasa(config-pmap-c)#  flow-export event-type all destination 192.168.1.6
ciscoasa(config-pmap-c)# end
 

ciscoasa# show run flow
flow-export destination inside 192.168.1.6 2055
flow-export template timeout-rate 5
flow-export delay flow-create 60
 

ciscoasa# show run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
  inspect sip  
 class tcp-traffic
  set connection advanced-options allow-probes
 class class-default
  flow-export event-type all destination 192.168.1.6
policy-map dynamic-filter_snoop_policy
 class dynamic-filter_snoop_class
  inspect dns dynamic-filter-snoop
!
ciscoasa# write memory
Building configuration...
Cryptochecksum: 9efb8040 ea39e168 2f4ab26e 3f75b246

105044 bytes copied in 1.210 secs (105044 bytes/sec)
[OK]

 

ciscoasa# show flow-export ?

  counters  Display flow-export run-time counters
ciscoasa# show flow-export counters

destination: inside 192.168.1.6 2055
  Statistics:
    packets sent                                             5514
  Errors:
    block allocation failure                                    0
    invalid interface                                           0
    template send failure                                       0
    no route to collector                                       0
    failed to get lock on block                                 0
    source port allocation failure                              0
 

Below is a snippet of the output in Solarwinds' NetFlow Traffic Analyzer (NTA).


There's no increase in ASA CPU utilization observed after NetFlow was enabled.

ciscoasa# show cpu usage
CPU utilization for 5 seconds = 4%; 1 minute: 4%; 5 minutes: 4%


ciscoasa# show processes cpu-usage 
Hardware:   ASA5515
Cisco Adaptive Security Appliance Software Version 9.8(4)10
ASLR enabled, text region 7f6204493000-7f6208801234
PC         Thread       5Sec     1Min     5Min   Process
0x0000560200394ce3   0x00007f4ac6ad7880     0.0%     0.0%     0.0%   zone_background_idb
0x00005602010644ed   0x00007f4ac6acce20     0.0%     0.0%     0.0%   webvpn_task
0x00005601ffbb58c8   0x00007f4ac6af27e0     0.0%     0.0%     0.0%   WebVPN KCD Process
0x0000560200ec7b92   0x00007f4ac6ad9920     0.0%     0.0%     0.0%   vpnlb_timer_thread
0x0000560200ec7dca   0x00007f4ac6adf020     0.0%     0.0%     0.0%   vpnlb_thread
0x0000560200eab718   0x00007f4ac6abf840     0.0%     0.0%     0.0%   vpnfol_thread_unsent
0x0000560200eab5c5   0x00007f4ac6abff80     0.0%     0.0%     0.0%   vpnfol_thread_timer
0x0000560200eab058   0x00007f4ac6abfbe0     0.0%     0.0%     0.0%   vpnfol_thread_sync
0x0000560200eaac2f   0x00007f4ac6ac0320     0.0%     0.0%     0.0%   vpnfol_thread_msg
0x00005601ff7f61e8   0x00007f4ac6ad3000     0.0%     0.0%     0.0%   VPN director state sync

 <OUTPUT TRUNCATED>

 

ciscoasa# show processes cpu-usage | exclude 0.0
Hardware:   ASA5515
Cisco Adaptive Security Appliance Software Version 9.8(4)10
PC         Thread       5Sec     1Min     5Min   Process
   -          -         4.6%     3.9%     4.1%   DATAPATH-0-1386

 <OUTPUT TRUNCATED>

 

Posted by at No comments:
Subscribe to: Posts (Atom)