NetFlow is a Cisco proprietary protocol the primary purpose of which is to collect all IP traffic on and send the traffic as UDP packets to NetFlow collector server(or NetFlow Analyzer). It helps Administrators to analyze network traffic and generate reports on bandwidth usage, traffic volume, conversations etc. It also helps in capacity planning to accommodate future growth.

Initially, NetFlow was introduced in major Cisco routers and core switches to analyze traffic. With growing business needs, more vulnerabilities arose due to security threats on the network led to the birth Cisco Adaptive Security Appliances also known as ASA.

With the facing off of Cisco PIX, it is now an era of Cisco ASA with more enhancements. NSEL (NetFlow Secure Event Logging) support in Cisco ASA helps analyze the traffic pattern and allied security threats which was not available in the earlier Firewall Device (PIX) that supported only Syslog analysis

NSEL reporting is different from regular NetFlow, the NetFlow packets from the Cisco ASA are triggered only when an event is created on the device. The event types that trigger the NetFlow records are:

  • Flow Creation

  • Flow Denial

  • Flow Teardown

Enhanced Report:-

The Cisco ASA NetFlow reporting in NetFlow Analyzer will show the traffic heading to WAN with their LAN IP address as well their corresponding mapped NAT-ed IP address on the Firewall. 

The troubleshooting report for ASA interfaces will show the regular LAN traffic conversation with their corresponding mapped NAT-ed IP address conversation for each interfaces. The report will also show the Event types for each flow.

Points to ponder:

When it comes to Cisco ASA, NetFlow packets are exported based on events triggered on the device and is called NSEL (NetFlow Secure Event logging) which come with some inherent challenges. The information from these NetFlow packets cannot be used for complete bandwidth or capacity planning due to certain differences with traditional NetFlow (ie. IOS NetFlow) export. And these differences pose some limiting factors that one may want to consider, like:

1. The concept of ‘active time out’ and ‘inactive timeout’, which allows flow data export in a timely manner from IOS devices, does not exist for NetFlow packets exported from the Cisco ASA. This removes the possibility of comparing NetFlow statistics with other bandwidth monitoring tools which are based on timely polling for data.

2. NetFlow packets exported from the device is based on events triggered on the device (Flow creation, Denial of traffic etc).

3. The NetFlow packets exported from the Cisco ASA includes bidirectional traffic information which means that the return traffic of an initiated conversation is not accounted as a separate conversation.

Hope there will be some more enhancements to overcome the above said points in the near future. Click here to know how to configure ASA for NetFlow export.

For 30 Day Trial, click Download now.

Thanks and Regards

Praveen Kumar

  1. Pingback: Cisco ASA 8.4(5) and above NetFlow updates

  2. Raj

    Praveen,

    Great blog, You covered the peculiarity of ASA reports in NFA. If possible please add what is the change in ASA CPU footprint when you disable syslog and enable NSEL.

    Thanks
    Raj

  3. Business owners should start using netflow and gaining alot from using it. Great work!

  4. This is great, Netflow is an amazing protocol and not widely known enough about or used enough, I cannot believe the amount of clients who I see who do not harness the power of netflow. This enhancement for the ASA is great. And the Manageengine products still provide great Netflow collectors.

    Roger
    Cisco Support Engineer UK

  5. This is great, Netflow is an amazing protocol and not widely known enough about or used enough, I cannot believe the amount of clients who I see who do not harness the power of netflow. This enhancement for the ASA is great. And the Manageengine products still provide great Netflow collectors.

    Roger
    Cisco Support Engineer UK