Cisco Cisco ASA 5505 Adaptive Security Appliance
10
Cisco ASA NetFlow Implementation Guide
About NSEL
Delays for Flow Creation Events
For short-lived flows, NSEL collection devices would benefit from processing a single event instead of
these two events—flow-create and flow-teardown. So a configurable CLI parameter is provided to delay
sending of the flow-create event. If the timer fires, the flow-create event is sent. However, if the flow is
torn down before the timer expires, only the flow-teardown event is sent; no flow-create event is sent.
these two events—flow-create and flow-teardown. So a configurable CLI parameter is provided to delay
sending of the flow-create event. If the timer fires, the flow-create event is sent. However, if the flow is
torn down before the timer expires, only the flow-teardown event is sent; no flow-create event is sent.
The flow-teardown event is extended and includes all information regarding the flow; no information is
lost. New templates are introduced to accommodate the extended flow-teardown events.
lost. New templates are introduced to accommodate the extended flow-teardown events.
IPv46 flow creation event with
maximum username size (65 chars)
maximum username size (65 chars)
NF_F_CONN_ID, NF_F_SRC_ADDR_IPV4,
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV4, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE, NF_F_ICMP_CODE,
NF_F_XLATE_SRC_ADDR_IPV6,
NF_F_XLATE_DST_ADDR_IPV6,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_F_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME_MAX
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV4, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE, NF_F_ICMP_CODE,
NF_F_XLATE_SRC_ADDR_IPV6,
NF_F_XLATE_DST_ADDR_IPV6,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_F_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME_MAX
IPv64 flow creation with common
username size (20 chars)
username size (20 chars)
NF_F_CONN_ID, NF_F_SRC_ADDR_IPV6,
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV6, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE_IPV6, NF_F_ICMP_CODE_IPV6,
NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DEST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV6, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE_IPV6, NF_F_ICMP_CODE_IPV6,
NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DEST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME
IPv64 flow creation with maximum
username size (65 chars)
username size (65 chars)
NF_F_CONN_ID, NF_F_SRC_ADDR_IPV6,
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV6, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE_IPV6, NF_F_ICMP_CODE_IPV6,
NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DEST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME_MAX
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV6, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE_IPV6, NF_F_ICMP_CODE_IPV6,
NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DEST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME_MAX
Table 5
Templates for Flow Creation Events (continued)
Description
Fields