Logging in high performance environments is non-trivial. NetFlow on the ASA provides an efficient way to track connection creation, teardown and denies in an efficient manner. This is done by sending binary data in UDP packets as opposed to ASCII based syslog messages. The implementation used on the ASA platforms is NetFlow v9 which is defined by RFC3954
The feature was introduced in ASA 8.2.1/ASDM 6.2.1. For information on the feature itself, its functionality and limitations you can read here. The document below presents how to use ASDM to configure the ASA to send Neflow information to the Netflow collector.
Configure the Collector
In ASDM under Configuration go in Device Management > Logging > Netflow.
There you can set the Netflow collector ip address, the ASA interface it is behind and the port it supports.
You can also set the template packet send frequency and disable syslogs that are redundant after the Netflow information extraction.
Configure the Netflow information extraction
To enable the ASA to start sending information to the collector defined above you need to go to Firewall > Service Policy Rules.
You create a new service policy that needs to be applied GLOBALLY.
Define the traffic that you need to collect Netflow statistics for.
And then define the collector that statistics for this traffic will be sent to (that you defined above).
Finally, you have a Netflow service policy on your ASA.
After deploying these changes to the ASA, you configuration for the feature should looke like this.
access-list global_mpc extended permit ip any any
flow-export destination inside 192.168.1.13 2055
match access-list global_mpc
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
flow-export event-type all destination 192.168.1.13
Hello, I have a simple question to understand the behavior from the ASA side. Once the connection is marked as half-closed , during that ( 30 seconds ) if the ASA will receive a syn packet related to the original connection what will happen exac...
Hi Cisco Guru, I'm currently using FPR1K running FDM code with outside interface is DHCP. However, since our ISP subscription is dynamic IP and they may sometimes force to renew a new IP and when this occur, my FPR will keep the old IP even disable a...
Hello, Our SSL Certificate on the admin portal has expired and will not allow us to log on. The cert was issued by our local CA via a CSR from the ISE instance. I do have access to the CLI. I'm not given the opportunity to logon, I get an SSL error f...
We are rebuilding our ISE environment and moving from version 2.3 patch 6 to version 2.7 patch 2. I am at the phase where I am now configuring the guest hotspot portal. I am using the portal customization page rather than the ISE Portal Builde...