Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
482
Views
5
Helpful
2
Replies

enabling netflow on asa 5585 ssp10

muhsi_2015
Level 1
Level 1

ā€Ž09-21-2016 04:24 PM - edited ā€Ž02-21-2020 05:55 AM

Hi,

Is it a good idea enabling netflow on asa 5585 ?

What are the pros and cons 

how can I enable it ?

Thanks

1 person had this problem
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

ā€Ž09-21-2016 05:48 PM

It depends on your collector and what your expectations are.

ASAs export Netflow only in NSEL format. If your collector doesn't support that, the records will be useless to you. Ironically Cisco Prime Infrastructure does not support NSEL.

ASAs also only generate records when the session or flow ends. This can lead to misleading conclusions when there are long-lived or interrupted sessions.

They are also limited in their ability to support all the optional record types you can do an a router or high end switch using true Netflow v9 (without NSEL). If you have one of those, it's a better choice that an ASA.

All that said, it can be useful. We use it in our office with PRTG as the collector and it works pretty well for a free product.

How to configure it is explained at great length here: http://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html

brford
Cisco Employee
Cisco Employee

ā€Ž10-04-2016 11:13 AM

Hello muhsi!

If your network design and capacity planning allows for it enabling NetFlow (actually NSEL) on the ASA is generally very useful.

Cisco NSEL (Network Secure Event Logging) was developed for the ASA to take advantage of the NetFlow specification to supply NetFlow Collectors and NetFlow based analytics solutions with valuable data that the ASA often contains.  It does this by using information usually found in the Syslog output.

For example if you are using your ASA as a traditional Firewall NSEL will report on Firewall connection table contents; essentially reporting on what is going in and coming out of the Firewall.

If your ASA is configured as a NAT gateway to your network NSEL reprots on the address translations.  NSEL allows NetFlow based solutions to 'see through' a NAT.

The caution I'd offer is to plan for enabling NSEL.  By enabling the feature the NSEL process will start using some processor and memory.  Make sure that your ASA when running has process and memory available.  Also consider that NSEL exports data from the ASA.  Make sure that the interface you select to export NSEL data is not near capacity or use a dedicated ,management or logging interface.

I hope this helps!

Brian

Brian Ford  |  Technical Marketing Engineer  | Cisco Security Business Group  |  @ccie2106

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card