cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
51742
Views
77
Helpful
19
Comments
Anand Kanani
Cisco Employee
Cisco Employee

How to configure NSEL (~NetFlow) on Cisco Firepower Threat Defense (FTD) using the FlexConfig feature introduced in Firepower Management Center (FMC) software version 6.2
See the attached doc.

Note that in a few versions of FTD code, the Flexconfig deployment for NetFlow as given in this document, may fail. This is due to a minor bug. Check out my comment in this article (scroll towards the bottom of the page) talking about this bug and its workaround.

 

Note that this document is applicable only if you are using managing your firewall using FMC. If you are using the on-box management functionality using Firepower Device Manager (FDM), then you may want to look at this article

https://community.cisco.com/t5/security-documents/how-to-enable-netflow-on-firepower-using-fdm/ta-p/4048081

Comments
Stan Courtney
Community Member

Dear God,

Bless who ever wrote this document.

james.anderson83
Community Member

Seriously, EXCELLENT document.  Thank you!!!!

fescobar48
Level 1
Level 1

Where do you download version 2 from?

Anand Kanani
Cisco Employee
Cisco Employee

Only this article is version 2 because any edits you make to the page content and the version number is incremented automatically. The actual document is still v1 and it is fine. Unless you have any specific feedback/suggestions that needs to be incorporated.

Thanks!

Thank you!

Joshua Turner
Cisco Employee
Cisco Employee

Great document. Is it a caveat that the "diagnostic" port on a 5516 is different than the "configured MANAGEMENT port and can't be on the same subnet as my inside interface?

#Mat
Level 6
Level 6
Excellent!!
fescobar48
Level 1
Level 1

Hello Anand,

 

We upgrade our FTDs to v6.2.3.1-43 from v6.2.0.1-59 and we are no longer getting netflows from the FTDs.  Is there a newer version or update?

Anand Kanani
Cisco Employee
Cisco Employee

Note that in a few versions of FTD code, the Flexconfig deployment may fail. This is due to the presence of an undesired INVISIBLE character in the default Netflow_Add_Destination Flexconfig object. It is a known minor bug.

Check out the below screenshot:

 2018-11-05_134116.png

 

 

In case if you face this, then you will have to create a copy of this Flexconfig object. Note that you cannot edit the default Flexconfig objects, hence creation of a copy is required. Then edit manually and remove the undesired INVISIBLE character.

Check out the below screenshot. Note that since the character is invisible, both before and after change would appear similar.

 2018-11-05_133737.png

 

Now you can use this copy in your FTD configuration as mentioned in the document provided in this article.

 

Note that similar needs to be done for the default Netflow_Delete_Destination Flexconfig object.

 

If this does not solve the issue, then reach out to the appropriate tech support as applicable.

 

Thanks!

willieh
Level 1
Level 1

This was so helpful!!

murat001
Level 4
Level 4

hi all

 

can we send application name infos discovered by firepower system to stealthwatch, or do we need  also flow sensor appliance just for app-name. ?

 

Thanks 

 

 

HI,

 

I have a Firepower 4100 with FTD 6.3.0.1 instances. I need configure NSEL to Stealthwatch with management interface but i always get a deployiment error. The deployment only works with diagnostic as interface in flow-exporter destination.

 

Can someone help me with the configuration for send the records througth the FTD management interface in this platform?.

 

 

 

RegardsFlexConfig.pngDeployment.png

kardesai
Cisco Employee
Cisco Employee

Excellent document with nice detailing. Working as expected.

jocaetan
Cisco Employee
Cisco Employee
If you are sending NetFlow, or NSEL, to Stealthwatch it is better to configure the templates to be sent every 5 minutes instead of 30 minutes.
buffkata
Level 1
Level 1

This is a great document - Thank you.

I have a question - can we use this and add two NetFlow collectors somehow ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: