ā09-21-2016 04:24 PM - edited ā02-21-2020 05:55 AM
Hi,
Is it a good idea enabling netflow on asa 5585 ?
What are the pros and cons
how can I enable it ?
Thanks
ā09-21-2016 05:48 PM
It depends on your collector and what your expectations are.
ASAs export Netflow only in NSEL format. If your collector doesn't support that, the records will be useless to you. Ironically Cisco Prime Infrastructure does not support NSEL.
ASAs also only generate records when the session or flow ends. This can lead to misleading conclusions when there are long-lived or interrupted sessions.
They are also limited in their ability to support all the optional record types you can do an a router or high end switch using true Netflow v9 (without NSEL). If you have one of those, it's a better choice that an ASA.
All that said, it can be useful. We use it in our office with PRTG as the collector and it works pretty well for a free product.
How to configure it is explained at great length here: http://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html
ā10-04-2016 11:13 AM
Hello muhsi!
If your network design and capacity planning allows for it enabling NetFlow (actually NSEL) on the ASA is generally very useful.
Cisco NSEL (Network Secure Event Logging) was developed for the ASA to take advantage of the NetFlow specification to supply NetFlow Collectors and NetFlow based analytics solutions with valuable data that the ASA often contains. It does this by using information usually found in the Syslog output.
For example if you are using your ASA as a traditional Firewall NSEL will report on Firewall connection table contents; essentially reporting on what is going in and coming out of the Firewall.
If your ASA is configured as a NAT gateway to your network NSEL reprots on the address translations. NSEL allows NetFlow based solutions to 'see through' a NAT.
The caution I'd offer is to plan for enabling NSEL. By enabling the feature the NSEL process will start using some processor and memory. Make sure that your ASA when running has process and memory available. Also consider that NSEL exports data from the ASA. Make sure that the interface you select to export NSEL data is not near capacity or use a dedicated ,management or logging interface.
I hope this helps!
Brian
Brian Ford | Technical Marketing Engineer | Cisco Security Business Group | @ccie2106
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide