cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2642
Views
25
Helpful
6
Replies
Highlighted
Beginner

FTD / FMC And Netflow

Hi

 

Does anyone have any experience with a (v)FTD (6.4.0.4) using only a mangement interface for mangement and a passive interface for IDS, where stealthwatch shoud be apart of that solution also.

 

Netflow has been configured through FMC with flexConfig. I can see the config is on the device with a show running-config in cli.

My stealthwatch collector is not getting any data.

I have been running a tcpdump port 2055 on both the FTD and the stealthwatch collector, but i have only seen one packet going between them, nothing else.

 

I have testes the collector with another netflow source, and that works and i can see the data in the stealthwatch management center.

 

Does it work with a passive interface or should it be routed or inline before it will work?

 

Thanks in advance.

6 REPLIES 6
Highlighted
Hall of Fame Guru

I've not done it with FTD passive interface but have done it with routed interface (on 6.4.0.4) feeding Stealthwatch.

Have you configured the diagnostic interface (not br1 management) with an IP address? That's your Netflow (NSEL) source.

Highlighted

Yes, there are an ip address on the diagnostic interface.

I can see through a tcpdump on the stealthwatch collector that there is 2 packets comming from the FTD and then all stops.

 

Other sources work fine with the stealthwatch collector.

Highlighted

Have you confirmed (check your show running-config) that your desired Netflow configuration was successfully pushed via Flexconfig?

I followed the guide posted here:

https://community.cisco.com/t5/security-documents/configuring-nsel-netflow-on-cisco-firepower-threat-defense-ftd/ta-p/3646300

...and had good results. My Stealthwatch has been getting Netflow events from FTD ever since.

Highlighted

Anyone ever get netflow exporting from inside interface? packet-tracers show it being dropped by implicit deny at the end, but when sourced from mgmt-ip or another IP in the subnet it is allowed. Almost as if the netflow exporting isn't being sourced from a zone/interface. I'd rather not have to configure diagnostic interface, this is on a ASA5525 running ftd code.

 

I figured if anyone would know the answer it's you smart people.

Highlighted

Currently it's only supported from the diagnostic interface. We expect this to change in Firepower 6.7 later this year.

Highlighted

Thanks Marvin, I was hoping you'd be the one to reply. Thank you very much for confirming my theory.

 

Have a great weekend!

 

Michael

Content for Community-Ad