cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
249
Views
1
Helpful
4
Replies

How ASA send NSEL data? I am confuse.

sir_yrwins
Level 1
Level 1

Cisco ASA send NSEL data . "Netflix Secure Event Logging. 

Hello I bit confuse how the 3 map are configure are and what they do. 

can some please tell me if I am correct how ASA is setup to send DATA to NSEL. 
Policy Map = setup to collect IP address
Class Map = setup to match policy
Service Map = setup to apply policy globally . 

  

4 Replies 4

tvotna
Spotlight
Spotlight

In ASA CLI this looks as follows. ACL defines traffic. Connections that match ACL will trigger NetFlow event generation. Class-map refers to ACL and policy-map (which is applied by default via service-policy CLI) activates the feature.

flow-export destination inside <IP> <UDP-port>
flow-export template timeout-rate 1
flow-export active refresh-interval 1

access-list netflow-hosts extended permit ip any any

class-map NetFlow-traffic
 match access-list netflow-hosts

policy-map global_policy
 class NetFlow-traffic
 flow-export event-type all destination <IP>

logging flow-export-syslogs disable

Last command is optional. It blocks flow creation/teardown syslogs to reduce load, because the same information is sent via NetFlow to NetFlow collector.

 

Class map - matches on traffic that you will apply actions to

policy map - applies actions to the class-map

service policy - applies the policy map to specified interface or globally

--
Please remember to select a correct answer and rate helpful posts

The order is 

A-Class-map

Here you have two choices 

1- match acl' this use if you want to match only traffic between two points (these points can hosts or subnet)

2- class-default This for all traffic 

B- Policy-map

This use class you define in step A

The action is different here it can

1- flow-export (flow export is send details of traffic to specific destination) event-type ALL ( all even send to one destiantion)

2- flow-export event-type ___ here you can select event creation denied update teardown...

This make you send each event-type to specific destination not all event send to same destination.

C- service-policy here you use what you add in step B

That all friend 

MHM

 

 

sir_yrwins
Level 1
Level 1

WOW... thank you so much.... 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card