Solved: ASA Netflow concerns

Christian Jorge · ‎05-23-2013

Good Morning

I was asked to enable netflow in an ASA Firewall for Orion/Solarwinds server monitoration. Firewall is a 5550, with 4G RAM, and no extra modules but SSM-4GE. This firewall has 5 DMZ segments and ans specific segment for internet traffic.

There are segments as unique subinterfaces in physical interfaces. Other segments as individual subinterfaces in the same physical interface (but individual VLANs)

Usually firewall CPU flows between 30% to 40%. Rarely to 50%.

My questions:

1 - How dangerous or risky could be implement netflow in this firewall?...This firewall is very critical for the customer. My concern is regrading CPU, traffic generated, memory, etc

2 - In a month, firewall will be migrated from 8.2 software version to 8.4 software version. Is there any incompatibility in some commands?...Would be recommended to perform netflow configuration after software upgrade?

3 - How could it be implemented for Orion monitoring, regarding each individual sub-interface (and so, each VLAN assigned)?

I there any recommendation regarding configuration, best practices?

Regards

Christian

jakewilson · ‎05-23-2013

Hi Christian,

1) I Haven't see any issues with CPU

2) There were some major changes in the flow export in 8.4(5) which were reversed in a few following versions and then I believe put back to the format introduced in 8.4(5). Only a few NetFlow collectors can deal with this change.

3) I agree with Julio. make sure the template record is exported each minute

View solution in original post

jakewilson · ‎05-23-2013

Hi Christian,

1) I Haven't see any issues with CPU

2) There were some major changes in the flow export in 8.4(5) which were reversed in a few following versions and then I believe put back to the format introduced in 8.4(5). Only a few NetFlow collectors can deal with this change.

3) I agree with Julio. make sure the template record is exported each minute

Christian Jorge · ‎06-19-2013

My new question is:

Customer wants I configure netflow for a single interface for now. We check the firewall status, behaviour, etc.

Next time we configure netflow for a second interface and so on until all interfaces be included to netflow.

How do you guys recommend I perform this?

All articles I found treated netflow configuration using global policy-map.

I think of creating a new policy-map and input this as service-policy by interface, but I'm afraid regarding have same service-policy repeated in eadh interface.

smetieh001 · ‎06-20-2013

Instead of creating a new serivce policy, I recommend adding it to an existing service policy.

Sylvester

Christian Jorge · ‎06-20-2013

Now I have only the global policy-map. No other kind of policy-map created

smetieh001 · ‎06-20-2013

it means you can create a service policy for an interface

Create a new class-map
class-map netflow_int_class
match any (or a pre-defined acl if you like. i.e access-list netflow_acl permit IP any any)

Create a policy-map

Policy-map netflow_Int_policy
class netflow_int_class

Apply Service-policy to an interface

Service-policy netflow_Int_policy interface outside

Hope this helps?

Christian Jorge · ‎06-20-2013

I've had that idea to configure a new policy-map (besides that global policy-map), use that new policy-map to perform netwflow action and apply individually in each interesting interface as service-policy.

I was thinking the firewall overhead in the final step, applying that service policy in all interfaces compared to apllying as global policy-map.

In summary: what's the overhead using the same policy-map explicitly in all interfaces

Update: I read something that netflow can't be applied using a separated/unique policy-map. Only permitted to use the global one. Anyone could confirm this?

Christian Jorge · ‎06-27-2013

Gentlemen

Any new idea, recommendation?

Regards