topic ASA Netflow concerns in Network Security

ASA Netflow concerns

Christian Jorge — Tue, 12 Mar 2019 01:48:01 GMT

Good Morning

I was asked to enable netflow in an ASA Firewall for Orion/Solarwinds server monitoration. Firewall is a 5550, with 4G RAM, and no extra modules but SSM-4GE. This firewall has 5 DMZ segments and ans specific segment for internet traffic.

There are segments as unique subinterfaces in physical interfaces. Other segments as individual subinterfaces in the same physical interface (but individual VLANs)

Usually firewall CPU flows between 30% to 40%. Rarely to 50%.

My questions:

1 - How dangerous or risky could be implement netflow in this firewall?...This firewall is very critical for the customer. My concern is regrading CPU, traffic generated, memory, etc

2 - In a month, firewall will be migrated from 8.2 software version to 8.4 software version. Is there any incompatibility in some commands?...Would be recommended to perform netflow configuration after software upgrade?

3 - How could it be implemented for Orion monitoring, regarding each individual sub-interface (and so, each VLAN assigned)?

I there any recommendation regarding configuration, best practices?

Regards

Christian

ASA Netflow concerns

jakewilson — Fri, 24 May 2013 00:52:15 GMT

Hi Christian,

1) I Haven't see any issues with CPU

2) There were some major changes in the flow export in 8.4(5) which were reversed in a few following versions and then I believe put back to the format introduced in 8.4(5). Only a few NetFlow collectors can deal with this change.

3) I agree with Julio. make sure the template record is exported each minute

ASA Netflow concerns

Christian Jorge — Wed, 19 Jun 2013 20:25:23 GMT

My new question is:

Customer wants I configure netflow for a single interface for now. We check the firewall status, behaviour, etc.

Next time we configure netflow for a second interface and so on until all interfaces be included to netflow.

How do you guys recommend I perform this?

All articles I found treated netflow configuration using global policy-map.

I think of creating a new policy-map and input this as service-policy by interface, but I'm afraid regarding have same service-policy repeated in eadh interface.

ASA Netflow concerns

smetieh001 — Thu, 20 Jun 2013 12:08:31 GMT

Instead of creating a new serivce policy, I recommend adding it to an existing service policy.

Sylvester

ASA Netflow concerns

Christian Jorge — Thu, 20 Jun 2013 13:14:28 GMT

Now I have only the global policy-map. No other kind of policy-map created

ASA Netflow concerns

smetieh001 — Thu, 20 Jun 2013 13:42:31 GMT

it means you can create a service policy for an interface

Create a new class-map
class-map netflow_int_class
match any (or a pre-defined acl if you like. i.e access-list netflow_acl permit IP any any)

Create a policy-map

Policy-map netflow_Int_policy
class netflow_int_class

Apply Service-policy to an interface

Service-policy netflow_Int_policy interface outside

Hope this helps?

Re: ASA Netflow concerns

Christian Jorge — Thu, 20 Jun 2013 13:59:03 GMT

I've had that idea to configure a new policy-map (besides that global policy-map), use that new policy-map to perform netwflow action and apply individually in each interesting interface as service-policy.

I was thinking the firewall overhead in the final step, applying that service policy in all interfaces compared to apllying as global policy-map.

In summary: what's the overhead using the same policy-map explicitly in all interfaces

Update: I read something that netflow can't be applied using a separated/unique policy-map. Only permitted to use the global one. Anyone could confirm this?

Re: ASA Netflow concerns

Christian Jorge — Thu, 27 Jun 2013 14:21:14 GMT

Gentlemen

Any new idea, recommendation?

Regards