https://community.cisco.com/t5/network-security/csm-4-4sp1-netflow-configuration-for-asa/m-p/2230858#M920728 <P>Hi,</P><P></P><P>We are running Cisco Security Manager 4.4 service pack 1 and our ASA's are all running 9.0.2/9.1.1</P><P></P><P>I've hit a problem with export to netflow from my ASA firewalls configured through CSM.</P><P>We configure the netflow export under platform/logging and enable flow export. Looking at the "show flow-export counters" on the ASA very few flows are exported however and no netflow shows up in our netflow analyzer.</P><P></P><P>Looking at the deployment this is what is deployed (for netflow):</P><P style="padding-left: 30px;"><EM>! COMMENT: Bulk request written; reading response...</EM></P><P style="padding-left: 30px;"><EM>Line# 2. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export template timeout-rate 1</EM></P><P style="padding-left: 30px;"><EM> Received (Fri Jun 07 08:50:05 CEST 2013): </EM></P><P style="padding-left: 30px;"><EM>Line# 3. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export destination outside 146.2.217.125 19996</EM></P><P style="padding-left: 30px;"><EM> Received (Fri Jun 07 08:50:05 CEST 2013): </EM></P><P style="padding-left: 30px;"><EM>Line# 4. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export delay flow-create 60</EM></P><P></P><P></P><P>As I understand it I need to match what traffic to export to netflow which is setup as a service policy rule. I cannot find any option to export to netflow under the service policy rules however (only IPS,CXSC, Connection Settings, QoS, CSC, User statistics and Scansafe). </P><P></P><P>I configured a flexconfig to append to the configuration and this seems to export the data until the next time a policy is pushed. The configuration changes done by the flexconfig are then removed from the ASA and netflow stops working.</P><P></P><P>My flexconfig (append) looks like this:</P><P style="padding-left: 30px;"><EM>access-list netflow-hosts extended permit ip any any</EM></P><P style="padding-left: 30px;"><EM>class-map NetFlow-traffic</EM></P><P style="padding-left: 30px;"><EM>&nbsp; match access-list netflow-hosts</EM></P><P style="padding-left: 30px;"><EM>policy-map global_policy</EM></P><P style="padding-left: 30px;"><EM> class NetFlow-traffic</EM></P><P style="padding-left: 30px;"><EM>&nbsp; flow-export event-type all destination X.X.X.X</EM></P><P></P><P>Have anybody found a way to get netflow export work correctly when configured using CSM?</P><P></P><P>-Michel</P> Fri, 21 Feb 2020 12:54:23 GMT Michel Pedersen 2020-02-21T12:54:23Z https://community.cisco.com/t5/network-security/csm-4-4sp1-netflow-configuration-for-asa/m-p/2230858#M920728 <P>Hi,</P><P></P><P>We are running Cisco Security Manager 4.4 service pack 1 and our ASA's are all running 9.0.2/9.1.1</P><P></P><P>I've hit a problem with export to netflow from my ASA firewalls configured through CSM.</P><P>We configure the netflow export under platform/logging and enable flow export. Looking at the "show flow-export counters" on the ASA very few flows are exported however and no netflow shows up in our netflow analyzer.</P><P></P><P>Looking at the deployment this is what is deployed (for netflow):</P><P style="padding-left: 30px;"><EM>! COMMENT: Bulk request written; reading response...</EM></P><P style="padding-left: 30px;"><EM>Line# 2. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export template timeout-rate 1</EM></P><P style="padding-left: 30px;"><EM> Received (Fri Jun 07 08:50:05 CEST 2013): </EM></P><P style="padding-left: 30px;"><EM>Line# 3. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export destination outside 146.2.217.125 19996</EM></P><P style="padding-left: 30px;"><EM> Received (Fri Jun 07 08:50:05 CEST 2013): </EM></P><P style="padding-left: 30px;"><EM>Line# 4. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export delay flow-create 60</EM></P><P></P><P></P><P>As I understand it I need to match what traffic to export to netflow which is setup as a service policy rule. I cannot find any option to export to netflow under the service policy rules however (only IPS,CXSC, Connection Settings, QoS, CSC, User statistics and Scansafe). </P><P></P><P>I configured a flexconfig to append to the configuration and this seems to export the data until the next time a policy is pushed. The configuration changes done by the flexconfig are then removed from the ASA and netflow stops working.</P><P></P><P>My flexconfig (append) looks like this:</P><P style="padding-left: 30px;"><EM>access-list netflow-hosts extended permit ip any any</EM></P><P style="padding-left: 30px;"><EM>class-map NetFlow-traffic</EM></P><P style="padding-left: 30px;"><EM>&nbsp; match access-list netflow-hosts</EM></P><P style="padding-left: 30px;"><EM>policy-map global_policy</EM></P><P style="padding-left: 30px;"><EM> class NetFlow-traffic</EM></P><P style="padding-left: 30px;"><EM>&nbsp; flow-export event-type all destination X.X.X.X</EM></P><P></P><P>Have anybody found a way to get netflow export work correctly when configured using CSM?</P><P></P><P>-Michel</P> Fri, 21 Feb 2020 12:54:23 GMT https://community.cisco.com/t5/network-security/csm-4-4sp1-netflow-configuration-for-asa/m-p/2230858#M920728 Michel Pedersen 2020-02-21T12:54:23Z https://community.cisco.com/t5/network-security/csm-4-4sp1-netflow-configuration-for-asa/m-p/2230859#M920729 <HTML><HEAD></HEAD><BODY><P>Try adding in the following line under flexconfig with the rest of your netflow configurations.</P><P></P><P>flow-export template timeout-rate 1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>These are my flexconfig on my firewalls using CSM:</P><P></P><P>access-list global_mpc extended permit ip any any</P><P>class-map global-class</P><P>match access-list global_mpc</P><P>policy-map global_policy</P><P>class global-class</P><P>&nbsp; flow-export event-type all destination x.x.x.x</P><P>flow-export template timeout-rate 1</P></BODY></HTML> Tue, 26 Nov 2013 16:00:36 GMT https://community.cisco.com/t5/network-security/csm-4-4sp1-netflow-configuration-for-asa/m-p/2230859#M920729 wkho 2013-11-26T16:00:36Z https://community.cisco.com/t5/network-security/csm-4-4sp1-netflow-configuration-for-asa/m-p/2230860#M920730 <HTML><HEAD></HEAD><BODY><P>We just upgraded to CSM 4.5 and I have verified that Netflow configuration is now fully supported there so no need to use a flexconfig to make it work anymore. In CSM 4.5 we can finally specify a service policy to match the netflow traffic.</P><P></P><P>Case closed for us <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>-Michel</P></BODY></HTML> Tue, 26 Nov 2013 16:45:37 GMT https://community.cisco.com/t5/network-security/csm-4-4sp1-netflow-configuration-for-asa/m-p/2230860#M920730 Michel Pedersen 2013-11-26T16:45:37Z