topic Re: FTD / FMC And Netflow in Network Security

FTD / FMC And Netflow

pejedkcco — Fri, 21 Feb 2020 17:27:49 GMT

Does anyone have any experience with a (v)FTD (6.4.0.4) using only a mangement interface for mangement and a passive interface for IDS, where stealthwatch shoud be apart of that solution also.

Netflow has been configured through FMC with flexConfig. I can see the config is on the device with a show running-config in cli.

My stealthwatch collector is not getting any data.

I have been running a tcpdump port 2055 on both the FTD and the stealthwatch collector, but i have only seen one packet going between them, nothing else.

I have testes the collector with another netflow source, and that works and i can see the data in the stealthwatch management center.

Does it work with a passive interface or should it be routed or inline before it will work?

Thanks in advance.

Re: FTD / FMC And Netflow

Marvin Rhoads — Thu, 05 Sep 2019 15:46:14 GMT

I've not done it with FTD passive interface but have done it with routed interface (on 6.4.0.4) feeding Stealthwatch.

Have you configured the diagnostic interface (not br1 management) with an IP address? That's your Netflow (NSEL) source.

Re: FTD / FMC And Netflow

pejedkcco — Fri, 06 Sep 2019 05:20:37 GMT

Yes, there are an ip address on the diagnostic interface.

I can see through a tcpdump on the stealthwatch collector that there is 2 packets comming from the FTD and then all stops.

Other sources work fine with the stealthwatch collector.

Re: FTD / FMC And Netflow

Marvin Rhoads — Fri, 06 Sep 2019 13:08:36 GMT

Have you confirmed (check your show running-config) that your desired Netflow configuration was successfully pushed via Flexconfig?

I followed the guide posted here:

https://community.cisco.com/t5/security-documents/configuring-nsel-netflow-on-cisco-firepower-threat-defense-ftd/ta-p/3646300

...and had good results. My Stealthwatch has been getting Netflow events from FTD ever since.

Re: FTD / FMC And Netflow

mlorincz — Sat, 27 Jun 2020 00:35:49 GMT

Anyone ever get netflow exporting from inside interface? packet-tracers show it being dropped by implicit deny at the end, but when sourced from mgmt-ip or another IP in the subnet it is allowed. Almost as if the netflow exporting isn't being sourced from a zone/interface. I'd rather not have to configure diagnostic interface, this is on a ASA5525 running ftd code.

I figured if anyone would know the answer it's you smart people.

Re: FTD / FMC And Netflow

Marvin Rhoads — Sat, 27 Jun 2020 12:41:14 GMT

Currently it's only supported from the diagnostic interface. We expect this to change in Firepower 6.7 later this year.

Re: FTD / FMC And Netflow

mlorincz — Sat, 27 Jun 2020 17:43:00 GMT

Thanks Marvin, I was hoping you'd be the one to reply. Thank you very much for confirming my theory.

Have a great weekend!

Michael

Re: FTD / FMC And Netflow

David Mitchell — Thu, 17 Dec 2020 23:49:41 GMT

This is likely due to packets not going through the full LINA flow when in inline / passive mode. See this reference:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214487-netflow-and-other-features-are-not-suppo.html#anc6

Re: FTD / FMC And Netflow

billystevenson24098 — Tue, 12 Jan 2021 15:49:38 GMT

hi came across this topic i have been asked to get netflow working to our 3rd party network tools from managengine and all the info was for versions 6.2 firmware but we are on 6.7 in our FTD to take advantage of the VTIs. do i still have to configure the diagnostic interface for netflow or can it use the management interface that was configured still new to this device

Re: FTD / FMC And Netflow

mlorincz — Wed, 30 Mar 2022 19:35:10 GMT

** ignore ** 🙂