12-21-2023 01:18 AM
I have a bunch of FTD's around the globe all managed by FMC, they are v7.x code.
The ones local to the Netflow collector (as in same subnet address range) work as expected, the ones in remote locations don't.
The ASA's they replaced used to send Netflow via the connect VPN from an inside IP, but the FTD does not appear to generate any output. I can't find any info on the Cisco Netflow configuration documentation to indicate if this is possible or how to configure it.
Anyone managed to do this ?
Thanks for any input.
Solved! Go to Solution.
12-21-2023 06:26 AM
You need to use flexconfig to forward traffic to netflow destiantion.
Check this video how you can config interface to send flow to specific destination.
MHM
MHM
12-21-2023 04:35 AM
check below guide :
12-21-2023 05:20 AM
Yeah found that already & followed it, no mention of remote collector & it does not work for remote FTD's. Config accepted & deployed, but zero traffic seen at collector. Works great for FTD's where the collector is accessible via the same subnet that FTD has an interface in.
Have you configured any FTD's to use a remote collector !?
The only way that guide would work, would be to use the outside interface & send via raw internet to a NAT local to the collector !
12-21-2023 05:51 AM
Local to one FTD is work prefect' remote no.
Did you allow traffic from remote to Netflow collectors which is behind localFTD?
MHM
12-21-2023 05:56 AM
Yes allowed remote FTD selected interface to the collector.
Had the same issue with SNMP, so had to update to SNMP v3 to the external management address, as the previous v2 used via VPN from ASA's would not work with FTD.
I'll raise an assistance ticket with TAC in the new year if no one has an answer by then.
12-21-2023 06:00 AM
So the source is mgmt interface not outside interface?
MHM
12-21-2023 06:14 AM
how is the path to go to remote collector ?
what interface it uses (outside right ?)
if this is managed FMC, have a look on events see anything dropping.
12-21-2023 06:07 AM
No Management (as in Out of Band) is used for SNMP v3. NetFlow is an inside interface, as it was in ASA's but traffic not seen. Setup for all FTD's is 1x Internet Outside, 1x Management OoB, 1x Port-channel supporting multiple Inside sub interfaces. ASA's they replace were the same but without the Management OoB. So SNMP v2 & Netflow was configured on an Inside interface & traversed the intersite VPN to reach the SNMP sever & Netflow collector. On working FTD where collector is in same Inside interface subnet it works, everywhere else it fails.
12-21-2023 06:26 AM
You need to use flexconfig to forward traffic to netflow destiantion.
Check this video how you can config interface to send flow to specific destination.
MHM
MHM
12-21-2023 07:14 AM - edited 12-21-2023 07:16 AM
I stripped content & applied Global System Defined variables, rather than my Leaf level copies & it sprung to life.
The Cli config is the same, but obviously needed something from the "GET" variables, that did not survive the copy. Will try a few more & see what it says.
FYi- You don't need to configure the Diagnostic interface, as that would not have helped me anyway.
12-21-2023 06:36 PM
FYI, version 7.4.1 software finally moves Netflow from a Flexconfig-based setup to a native GUI configuration.
12-22-2023 01:46 AM
So update, is that it works as above on the v7.2.5 newest FTD's deployed, but same setup fails on v7.0.5 which is where I was previously attempting to do this, so I guess it will kick in as I upgrade the v7.0.5 units to v7.2.5.
Marvin thanks for the news, its about time. I'm still stunned that FTD, does not have push/pull config with FMC, like every other vendor & no effective CLi access, so relying on Flexconfig is crazy.
I got all excited after getting this working & tried to use same process to add our additional collector, it failed, but somehow managed to knock out our VPN from one location, but not the other. It's this inconsistent nature that worries me about FMC/FTD management.
So be careful !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide