Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Configure Netflows from Cisco ASA to CCE through command line

Procedure

Step 1 Add an NSEL collector to which NetFlow packets may be sent.

flow-export destination interface-name ipv4-address hostname udp-port


Example:

ciscoasa(config)# flow-export destination inside 209.165.200.225 2002


The destination keyword indicates that a NSEL collector is being configured. The interface-name argument is the name of the ASA and ASA Services Module interface through which the collector is reached. The ipv4-address argument is the IP address of the machine running the collector application. The hostname argument is the destination IP address or name of the collector. The udp-port argument is the UDP port number to which NetFlow packets are sent.

You can configure a maximum of five collectors. After a collector is configured, template records are automatically sent to all configured NSEL collectors.

Note Make sure that collector applications use the Event Time field to correlate events.

Step 2 Repeat the first step to configure more collectors.


Configure Flow-Export Actions Through Modular Policy Framework

To configure flow-export actions through Modular Policy Framework, perform the following steps:

Procedure

Step 1 Define the class map that identifies traffic for which NSEL events need to be exported.

class-map flow_export_class


Example:

ciscoasa(config-pmap)# class-map flow_export_class


The flow_export_class argument is the name of the class map.

Step 2 Choose one of the following options:

  • Configure the ACL to match specific traffic.

match access-list flow_export_acl


Example:

ciscoasa(config-cmap)# match access-list flow_export_acl


The flow_export_acl argument is the name of the ACL.

  • Match any traffic.

match any


Example:

ciscoasa(config-cmap)# match any


Step 3 Define the policy map to apply flow-export actions to the defined classes.

policy-map flow_export_policy


Example:

ciscoasa(config)# policy-map flow_export_policy


The flow_export_policy argument is the name of the policy map.

If you create a new policy map and apply it globally according to Step 6, the remaining inspection policies are deactivated.

Alternatively, enter the class flow_export_class command after the policy-map global_policy command to insert a NetFlow class in the existing policy.

See the firewall configuration guide or more information about creating or modifying the Modular Policy Framework.

Step 4 Define the class to apply flow-export actions.

class flow_export_class


Example:

ciscoasa(config-pmap)# class flow_export_class


The flow_export_class argument is the name of the class.

Step 5 Configure a flow-export action.

flow-export event-type event-type destination flow_export_host1 [flow_export_host2]


Example:

ciscoasa(config-pmap-c)# flow-export event-type all destination 209.165.200.230


The event_type keyword is the name of the supported event being filtered. The destination keyword is the IP address of the configured collector. The flow_export_host argument is the IP address of a host.

Step 6 Add the service policy globally.

service-policy flow_export_policy global


Example:

ciscoasa(config)# service-policy flow_export_policy global


The flow_export_policy argument is the name of the policy map.


Configure Template Timeout Intervals

To configure template timeout intervals, perform the following steps:

Procedure

Step 1 Specify the interval at which template records are sent to all configured output destinations.

flow-export template timeout-rate minutes


Example:

ciscoasa(config)# flow-export template timeout-rate 15


The template keyword indicates the template-specific configurations. The timeout-rate keyword specifies the time before templates are resent. The minutes argument specifies the time interval in minutes at which the templates are resent. The default value is 30 minutes.


Change the Time Interval for Sending Flow-Update Events to a Collector

To change the time interval for sending flow-update events to a collector, perform the following steps:

Procedure

Step 1 Configure NetFlow parameters for active connections.

flow-export active refresh-interval value


Example:

ciscoasa(config)# flow-export active refresh-interval 30


The value argument specifies the time interval between flow-update events in minutes. Valid values are from 1 - 60 minutes. The default value is 1 minute.

If you have already configured the flow-export delay flow-create command, and you then configure the flow-export active refresh-interval command with an interval value that is not at least 5 seconds more than the delay value, the following warning message appears at the console:

WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation events.


If you have already configured the flow-export active refresh-interval command, and you then configure the flow-export delay flow-createcommand with a delay value that is not at least 5 seconds less than the interval value, the following warning message appears at the console:

WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation events.


Reference links: https://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html#pgfId-1324373


Seceon Inc. All rights reserved. https://www.seceon.com