There is a wide variety of Cisco ASA NetFlow exports. Keeping in mind the firmware version on your Cisco ASA is very important!

First, the Cisco Adaptive Security Device Manager (ASDM) can be used to configure NetFlow exports on the Cisco ASA. Watch our Cisco ASA NetFlow configuration video for more details.

If your Cisco ASA is running at least firmware version 8.2.x and prior to 8.4(5), then it will export NetFlow Security Event Logs (NSEL) with 4 unique Cisco ASA NetFlow templates. Even if you are familiar with using NetFlow v5 or v9 from a Cisco router, however, keep the following Cisco ASA NetFlow problems in mind:

  • Bidirectional flows require a different understanding, since inbound flows include some outbound traffic and vice versa
  • The template architecture is exciting but different: Creation Flows, Teardown Flows, etc., contain duplicate entries and often result in inaccurate reports when combined in a NetFlow analyzer
  • No active timeout for long-lived connections causes spikes in the trend
  • No ACL Names
  • No Extended Event Descriptions

In 2012, Cisco released Cisco ASA 8.4(5) which behaved more like people wanted it to:

  • The bidirectional flows were fixed. They now exported both directions of the flow in separate elements which resulted in accurate in / out utilization trends.
  • Active Timeout was implemented. Now the long-lived flows (i.e. longer than 1 minute) were exported every minute which prevented spikes in the trends and resulted in more accurate reports.
  • The firewall event type was exported with a new element. This resulted in a whole bunch of new reports on why flows are created, deleted or denied. We also built a way to tie these events to the ACLs being violated. You can find out what hosts or protocols are being denied and why.
  • Network Address Translation - NAT reports. These new reports allowed users to find out what IP addresses were before and after they were NAT'd.

Notice below that the Cisco ASA NetFlow template contains both octetDeltaCount and octetDeltaCount_rev making a truly bidirectional flow much like those defined in RFC 5103.

You may be disappointed, however, after upgrading the ASA to version 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1). What happened? The bidirectional NetFlow fixes reverted back to the old way of doing things and the flow-export active refresh-interval for 1 minute intervals was broken again.

NSEL

Flow-update events have been introduced to provide periodic byte counters for flow traffic. You can change the time interval during which flow-update events are sent to the NetFlow collector. You can also filter to which collectors flow-update records will be sent. We introduced the command "flow-export active refresh-interval" and modified the command "flow-export event-type." This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

Cisco has reported that the ASA NetFlow flow-export active-refresh interval command will be added back in v9.1(2).

If you are looking to gain access to things like URLs and usernames using the Cisco ASA NetFlow export, you are in luck; NSEL exports can be correlated with Cisco Application Visibility and Control exports or even proxy logs to gain URLs from Cisco ASA NetFlow. NSEL can also combine NetFlow with Cisco ASA syslog reporting.

ACLs are exported in Cisco ASA NetFlow (NSEL) but, they are usually in hex format. Some enterprise NetFlow solutions use scripts that extract the ACLs from the ASA on a regular basis, allowing for correlation with syslogs and NSEL.

If you have further questions on Cisco ASA NetFlow and its capabilities, reach out to the leader in NetFlow.