cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5446
Views
25
Helpful
8
Replies
pejedkcco
Beginner

FTD / FMC And Netflow

Hi

 

Does anyone have any experience with a (v)FTD (6.4.0.4) using only a mangement interface for mangement and a passive interface for IDS, where stealthwatch shoud be apart of that solution also.

 

Netflow has been configured through FMC with flexConfig. I can see the config is on the device with a show running-config in cli.

My stealthwatch collector is not getting any data.

I have been running a tcpdump port 2055 on both the FTD and the stealthwatch collector, but i have only seen one packet going between them, nothing else.

 

I have testes the collector with another netflow source, and that works and i can see the data in the stealthwatch management center.

 

Does it work with a passive interface or should it be routed or inline before it will work?

 

Thanks in advance.

8 REPLIES 8
Marvin Rhoads
VIP Community Legend

I've not done it with FTD passive interface but have done it with routed interface (on 6.4.0.4) feeding Stealthwatch.

Have you configured the diagnostic interface (not br1 management) with an IP address? That's your Netflow (NSEL) source.

Yes, there are an ip address on the diagnostic interface.

I can see through a tcpdump on the stealthwatch collector that there is 2 packets comming from the FTD and then all stops.

 

Other sources work fine with the stealthwatch collector.

Have you confirmed (check your show running-config) that your desired Netflow configuration was successfully pushed via Flexconfig?

I followed the guide posted here:

https://community.cisco.com/t5/security-documents/configuring-nsel-netflow-on-cisco-firepower-threat-defense-ftd/ta-p/3646300

...and had good results. My Stealthwatch has been getting Netflow events from FTD ever since.

Anyone ever get netflow exporting from inside interface? packet-tracers show it being dropped by implicit deny at the end, but when sourced from mgmt-ip or another IP in the subnet it is allowed. Almost as if the netflow exporting isn't being sourced from a zone/interface. I'd rather not have to configure diagnostic interface, this is on a ASA5525 running ftd code.

 

I figured if anyone would know the answer it's you smart people.

Marvin Rhoads
VIP Community Legend

Currently it's only supported from the diagnostic interface. We expect this to change in Firepower 6.7 later this year.

Thanks Marvin, I was hoping you'd be the one to reply. Thank you very much for confirming my theory.

 

Have a great weekend!

 

Michael

David Mitchell
Cisco Employee

This is likely due to packets not going through the full LINA flow when in inline / passive mode.  See this reference:

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214487-netflow-and-other-features-are-not-suppo.html#anc6

 

hi came across this topic i have been asked to get netflow working to our 3rd party network tools from managengine and all the info was for versions 6.2 firmware but we are on 6.7 in our FTD to take advantage of the VTIs. do i still have to configure the diagnostic interface for netflow or can it use the management interface that was configured still new to this device  

Content for Community-Ad