Showing results for 
Search instead for 
Did you mean: 

Configuring NSEL (~NetFlow) on Cisco Firepower Threat Defense (FTD)


How to configure NSEL (~NetFlow) on Cisco Firepower Threat Defense (FTD) using the FlexConfig feature introduced in Firepower Management Center (FMC) software version 6.2
See the attached doc.

Note that in a few versions of FTD code, the Flexconfig deployment for NetFlow as given in this document, may fail. This is due to a minor bug. Check out my comment in this article (scroll towards the bottom of the page) talking about this bug and its workaround.


Note that this document is applicable only if you are using managing your firewall using FMC. If you are using the on-box management functionality using Firepower Device Manager (FDM), then you may want to look at this article

Stan Courtney
Community Member

Dear God,

Bless who ever wrote this document.

Community Member

Seriously, EXCELLENT document.  Thank you!!!!


Where do you download version 2 from?

Anand Kanani
Cisco Employee

Only this article is version 2 because any edits you make to the page content and the version number is incremented automatically. The actual document is still v1 and it is fine. Unless you have any specific feedback/suggestions that needs to be incorporated.


Thank you!

Joshua Turner
Cisco Employee

Great document. Is it a caveat that the "diagnostic" port on a 5516 is different than the "configured MANAGEMENT port and can't be on the same subnet as my inside interface?

Frequent Contributor

Hello Anand,


We upgrade our FTDs to v6.2.3.1-43 from v6.2.0.1-59 and we are no longer getting netflows from the FTDs.  Is there a newer version or update?

Anand Kanani
Cisco Employee

Note that in a few versions of FTD code, the Flexconfig deployment may fail. This is due to the presence of an undesired INVISIBLE character in the default Netflow_Add_Destination Flexconfig object. It is a known minor bug.

Check out the below screenshot:




In case if you face this, then you will have to create a copy of this Flexconfig object. Note that you cannot edit the default Flexconfig objects, hence creation of a copy is required. Then edit manually and remove the undesired INVISIBLE character.

Check out the below screenshot. Note that since the character is invisible, both before and after change would appear similar.



Now you can use this copy in your FTD configuration as mentioned in the document provided in this article.


Note that similar needs to be done for the default Netflow_Delete_Destination Flexconfig object.


If this does not solve the issue, then reach out to the appropriate tech support as applicable.




This was so helpful!!


hi all


can we send application name infos discovered by firepower system to stealthwatch, or do we need  also flow sensor appliance just for app-name. ?







I have a Firepower 4100 with FTD instances. I need configure NSEL to Stealthwatch with management interface but i always get a deployiment error. The deployment only works with diagnostic as interface in flow-exporter destination.


Can someone help me with the configuration for send the records througth the FTD management interface in this platform?.





Cisco Employee

Excellent document with nice detailing. Working as expected.

Cisco Employee
If you are sending NetFlow, or NSEL, to Stealthwatch it is better to configure the templates to be sent every 5 minutes instead of 30 minutes.

This is a great document - Thank you.

I have a question - can we use this and add two NetFlow collectors somehow ?

Content for Community-Ad