Re: FTD / FMC And Netflow

pejedkcco · ‎09-05-2019

Hi

Does anyone have any experience with a (v)FTD (6.4.0.4) using only a mangement interface for mangement and a passive interface for IDS, where stealthwatch shoud be apart of that solution also.

Netflow has been configured through FMC with flexConfig. I can see the config is on the device with a show running-config in cli.

My stealthwatch collector is not getting any data.

I have been running a tcpdump port 2055 on both the FTD and the stealthwatch collector, but i have only seen one packet going between them, nothing else.

I have testes the collector with another netflow source, and that works and i can see the data in the stealthwatch management center.

Does it work with a passive interface or should it be routed or inline before it will work?

Thanks in advance.

Marvin Rhoads · ‎09-05-2019

I've not done it with FTD passive interface but have done it with routed interface (on 6.4.0.4) feeding Stealthwatch.

Have you configured the diagnostic interface (not br1 management) with an IP address? That's your Netflow (NSEL) source.

pejedkcco · ‎09-05-2019

Yes, there are an ip address on the diagnostic interface.

I can see through a tcpdump on the stealthwatch collector that there is 2 packets comming from the FTD and then all stops.

Other sources work fine with the stealthwatch collector.

Marvin Rhoads · ‎09-06-2019

Have you confirmed (check your show running-config) that your desired Netflow configuration was successfully pushed via Flexconfig?

I followed the guide posted here:

https://community.cisco.com/t5/security-documents/configuring-nsel-netflow-on-cisco-firepower-threat-defense-ftd/ta-p/3646300

...and had good results. My Stealthwatch has been getting Netflow events from FTD ever since.

mlorincz · ‎06-26-2020

Anyone ever get netflow exporting from inside interface? packet-tracers show it being dropped by implicit deny at the end, but when sourced from mgmt-ip or another IP in the subnet it is allowed. Almost as if the netflow exporting isn't being sourced from a zone/interface. I'd rather not have to configure diagnostic interface, this is on a ASA5525 running ftd code.

I figured if anyone would know the answer it's you smart people.

Marvin Rhoads · ‎06-27-2020

Currently it's only supported from the diagnostic interface. We expect this to change in Firepower 6.7 later this year.

mlorincz · ‎06-27-2020

Thanks Marvin, I was hoping you'd be the one to reply. Thank you very much for confirming my theory.

Have a great weekend!

Michael

mlorincz · ‎03-30-2022

** ignore **

David Mitchell · ‎12-17-2020

This is likely due to packets not going through the full LINA flow when in inline / passive mode. See this reference:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214487-netflow-and-other-features-are-not-suppo.html#anc6

billystevenson24098 · ‎01-12-2021

hi came across this topic i have been asked to get netflow working to our 3rd party network tools from managengine and all the info was for versions 6.2 firmware but we are on 6.7 in our FTD to take advantage of the VTIs. do i still have to configure the diagnostic interface for netflow or can it use the management interface that was configured still new to this device