MARS and the new ASA version 8.2

delawarecity · ‎05-18-2009

Can MARS parse the NSEL (netflow) output from a version 8.2 ASA appliance?

Should I send the output to MARS or wait for a MARS update?

Farrukh Haroon · ‎05-20-2009

Yes it does, please check Table 2 on the following link:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/compatibility/local_controller/dtlc60x.html

Please rate if helpful.

Regards

Farrukh

delawarecity · ‎05-20-2009

Thanks for reply.

I forgot that the higher end ASA models were able to generate netflows at the 8.1 level. I guess the capability to parse v9 netflow was probably added to MARS at that time. The lower end models only received that capability in version 8.2. Since there was no 8.2 version to select in MARS, I wasn't sure if it would work correctly.

Farrukh Haroon · ‎05-20-2009

Are you sure that 8.2 supports netflow for the lower ASA models? I don't see this mentioned in the release notes:

http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp229690

Regards

Farrukh

delawarecity · ‎05-20-2009

Check this link:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-526545.html

Cut and paste from article:

Cisco NetFlow Secure Event Logging: This feature was originally introduced on the Cisco ASA 5580, and is now extended to other Cisco ASA models to provide administrators with more comprehensive event logging information.

Farrukh Haroon · ‎05-20-2009

Ahh ok, I hope its true :)

Thanks for the link.

Regards

Farrukh

delawarecity · ‎05-21-2009

Update:

I just received my first reports based on the netflow data from our ASA 5510. The ASA is generating netflow and MARS is parsing it correctly.

Farrukh Haroon · ‎05-21-2009

Thanks for the update :)

Regards

Farrukh