cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1907
Views
0
Helpful
2
Replies

Leveraging netflow data

hoffa2000
Level 3
Level 3

Hi all

I'm trying to understand how Sourcefire/Firepower uses my netflow data. I have a Virtual Defence Center up and running and four ASAs with Firepower services reporting to it. All data flows seems to work and I've even done some IPS tests with promising results.

However I have a few Cisco routers in my network that I would also like to use in the System but so far I haven't figured out how. For example, should I have the routers send flow data to the Defence Center or to the Firepower modules in the ASAs? When I follow the Network Discovery steps in the user manual I get to set up a discovery policy using the netflow sources but those policies are only deployed to the Firepower modules in the ASAs.

I realize the discovery information will not be as complete using only netflow data as it is with traffic flowing through the ASAs but it will still improve my visibility.

 

Regards

Fredrik

2 Replies 2

akjellerstedt
Level 1
Level 1

Hi, 

this is a bit unclear how to actually do it but my understanding is that you need an extra Sourcefire 3D managed sensor to leverage netflow data. So there's no native netflow support in defense center.

 

From user guide http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Discovery-Config.html#61546

Because the FireSIGHT System uses managed devices to analyze NetFlow data, your deployment must include at least one managed device that can monitor your NetFlow-enabled devices. At least one sensing interface on that managed device must be connected to a network where it can collect the data that your NetFlow-enabled devices export. Because the sensing interfaces on managed devices do not usually have IP addresses, the system does not support the direct collection of NetFlow records.

 

 

 

So if I understand this correctly, there is no point sending netflow data to the FireSIGHT/Sourcefire Virtual DC? And I don't suppose the Firepower module in my ASAs can use the netflow data?

 

/Fredrik

Review Cisco Networking for a $25 gift card