Cisco Cisco ASA 5525-X Adaptive Security Appliance
3
Cisco ASA NetFlow Implementation Guide
About NSEL
NSEL Collectors
Each ASA establishes its own connection to the collector(s). The fields in the header of the export packet
include the system up time and UNIX time (synchronized across the cluster). These fields are all local
to an individual ASA. The NSEL collector uses the combination of the source IP address and source port
of the packet to separate different exporters.
include the system up time and UNIX time (synchronized across the cluster). These fields are all local
to an individual ASA. The NSEL collector uses the combination of the source IP address and source port
of the packet to separate different exporters.
Each ASA manages and advertises its template independently. Because the ASA supports in-cluster
upgrades, different units may run different image versions at a certain point in time. As a result, the
template that each ASA supports may be different.
upgrades, different units may run different image versions at a certain point in time. As a result, the
template that each ASA supports may be different.
Bidirectional Flows
Most bidirectional flows are already assembled internally and are considered a single flow. The flow
records reported by NSEL on the ASAs describe both directions of the flow. The data records explicitly
define the source (initiator) and destination (responder) of the connection, and you can use this
information to determine the direction of flow, if required by collector applications. In addition, some
NSEL records include two byte counter fields, NF_F_FWD_FLOW_DELTA_BYTES and
NF_F_REV_FLOW_DELTA_BYTES, which provide direction-specific traffic data.
records reported by NSEL on the ASAs describe both directions of the flow. The data records explicitly
define the source (initiator) and destination (responder) of the connection, and you can use this
information to determine the direction of flow, if required by collector applications. In addition, some
NSEL records include two byte counter fields, NF_F_FWD_FLOW_DELTA_BYTES and
NF_F_REV_FLOW_DELTA_BYTES, which provide direction-specific traffic data.
Template Updates
RFC 3954, Cisco Systems NetFlow Services Export Version 9, states that templates may be sent to the
user either at regular time intervals or after a set number of data records have been exported. These
update intervals must be configurable. This implementation supports template updates by time interval
only. Template updates based on the number of data records are not supported.
user either at regular time intervals or after a set number of data records have been exported. These
update intervals must be configurable. This implementation supports template updates by time interval
only. Template updates based on the number of data records are not supported.
Options Template and Data Records
No options template or data records will be exported. Some fields are supported by show commands in
the CLI. Collector applications must issue show commands to obtain additional information about
certain fields. In addition, collectors must have unique hostnames and IP addresses; otherwise, the
inspection behavior will be unpredictable.
the CLI. Collector applications must issue show commands to obtain additional information about
certain fields. In addition, collectors must have unique hostnames and IP addresses; otherwise, the
inspection behavior will be unpredictable.
Observation Point and Observation Domain
The ASA is an Observation Domain, with each interface also an Observation Point. Flows that are
created through all interfaces are exported, and no option exists to limit or filter the exported data to a
specific set of interfaces. Flow that are created by external devices that connect to the ASA are also
exported.
created through all interfaces are exported, and no option exists to limit or filter the exported data to a
specific set of interfaces. Flow that are created by external devices that connect to the ASA are also
exported.
Flow Filtering
Only records for certain flows may need to be exported, For example, the ASA can generate NSEL
events for flows that match an ACE. You can use this method to restrict the number of NSEL events that
are generated for NetFlow. This implementation supports the filtering of NSEL events based on traffic
and event type through Modular Policy Framework, with records sent to different collectors.
events for flows that match an ACE. You can use this method to restrict the number of NSEL events that
are generated for NetFlow. This implementation supports the filtering of NSEL events based on traffic
and event type through Modular Policy Framework, with records sent to different collectors.