Integrating AC NVM with McAfee SIEM

abhijith891 · ‎03-04-2019

Hello All,

I want to deploy NVM where a user's detailed flow should go the Mcafee syslog server. Can someone let me know if its really required to have a separate IPFIX collector component or is it okay if I redirect all the user flows(UDP 2055, 20519,20520) from the ASA directly to the syslog server?

balaji.bandi · ‎03-05-2019

How is your Flows, you want to send the Flows from ASA to syslog Server, the SIEM pickup that logs to analyse.

yes it is possible.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abhijith891 · ‎03-05-2019

Hi Balaji,

I am planning to create a new XML client profile with NVM inherited and will be opening the port UDP 2055 on ASA. The plan is to send all the flow traffic of each and every Anyconnect user to the syslog server. My only concern is whether a collector component is really required, because if thats the case, I need to invest in a new device. My deployment model is loosely based on the following article; except that we are authenticating against an AD instead of ISE and using Mcafee instead of Splunk.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html

Note: We are already sending syslogs on port 514 to SIEM, just wanted to know if its possible to send flow traffic the same way on port 2055 or do we need a new collector component.