Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
1
Helpful
4
Replies

How ASA send NSEL data? I am confuse.

sir_yrwins
Level 1
Level 1

‎02-01-2024 07:06 PM

Cisco ASA send NSEL data . "Netflix Secure Event Logging. 

Hello I bit confuse how the 3 map are configure are and what they do. 

can some please tell me if I am correct how ASA is setup to send DATA to NSEL. 
Policy Map = setup to collect IP address
Class Map = setup to match policy
Service Map = setup to apply policy globally . 

  

4 Replies 4

tvotna
Spotlight
Spotlight

‎02-02-2024 03:06 AM

In ASA CLI this looks as follows. ACL defines traffic. Connections that match ACL will trigger NetFlow event generation. Class-map refers to ACL and policy-map (which is applied by default via service-policy CLI) activates the feature.

flow-export destination inside <IP> <UDP-port>
flow-export template timeout-rate 1
flow-export active refresh-interval 1

access-list netflow-hosts extended permit ip any any

class-map NetFlow-traffic
 match access-list netflow-hosts

policy-map global_policy
 class NetFlow-traffic
  flow-export event-type all destination <IP>

logging flow-export-syslogs disable

Last command is optional. It blocks flow creation/teardown syslogs to reduce load, because the same information is sent via NetFlow to NetFlow collector.

 

0 Helpful

Marius Gunnerud
VIP
VIP

‎02-02-2024 03:19 AM - edited ‎02-02-2024 03:26 AM

Class map - matches on traffic that you will apply actions to

policy map - applies actions to the class-map

service policy - applies the policy map to specified interface or globally

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MHM Cisco World
VIP
VIP

‎02-02-2024 03:35 AM

The order is 

A-Class-map

Here you have two choices 

1- match acl' this use if you want to match only traffic between two points (these points can hosts or subnet)

2- class-default This for all traffic 

B- Policy-map

This use class you define in step A

The action is different here it can

1- flow-export (flow export is send details of traffic to specific destination) event-type ALL ( all even send to one destiantion)

2- flow-export event-type ___ here you can select event creation denied update teardown...

This make you send each event-type to specific destination not all event send to same destination.

C- service-policy here you use what you add in step B

That all friend 

MHM

 

 

0 Helpful

sir_yrwins
Level 1
Level 1

‎02-02-2024 09:05 AM

WOW... thank you so much.... 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card