NetFlow and ASA

k1ll1ngt0n had written this in response to

: Hey there,

Check out the newest version of Scrutinizer from Plixer. They just released version 7 the other day and I hear it supports the ASA netflow templates.

The ASA netflow templates sent by the ASA's are custom v9 templates, so most of the collectors haven't adapted to the change yet. But I know that the guys at Plixer are one of 2 vendors that now support it, the other being Cisco MARS. ;/

------------------------------------- DC wrote:

k1ll1ngt0n said the following on 27/08/2009 12:20 AM:

Ah, I downloaded Scrutinizer last week. The new version came out after that.

Anyway, I'm downloading it now and will try it as soon as I can. I must say, it's grown a bit - 71MB vs 237MB.

Thanks.

k1ll1ngt0n said the following on 27/08/2009 12:20 AM:

Hi,

I have installed Plixer Scrutinizer with interesting results. I can see denied flows, but that's all. Scrutinizer only lists one flow template - "909 ASA NSEL v4 Denied no XLATE"

According to I should also see the template "911 ASA NSEL v4 Terminate". This latter one is the template that shows me the flows I think.

Any ideas?

However, in the end I'm not sure that NetFlow will do what I want. I need a way for someone (not a network admin) at a remote site to be able to look at current traffic on the ASA when performance is acting up and try to determine what's causing it. From my reading, NetFlow on the ASA only reports traffic when the connection has been torn down. That's a bit late for my needs.

Try with some firewall log anaylzers...They acting as Syslog server (configure asa to export syslogs at informational level) and parsing syslog records into very usefull tables, charts, etc. I'm using

but this one isn't free...There must be some open source free stuff out there. Informational level syslogging records every phase of a session established trough ASA firewall and also with the firewall itself, so you should be able to see traffic generated during session activity - not only after the session is completed.

Igor

murphofthemagictones had written this in response to

: You need to make sure that the service policy classes are configured to export netflow for all events.

It would look sort of like this: policy-map flow_export_policy class flow_export_class flow-export event-type flow-create destination godzilla.plixer.com

In ASDM you

1. go to Firewall->Service Policy Rules
2. edit the service policy you want to export from
3. Choose the "Rule Actions" tab
4. Choose the NetFlow tab
5. choose "Add" and select "--All--" under flow event type. Check off the collector(s) you would like to export to.

Once you save, you should start getting all your NSEL netflow export.

------------------------------------- Igor Mamuzic aka Pseto wrote:

murphofthemagictones said the following on 3/09/2009 3:56 AM:

I currently have policy-map global_policy class FLOW_EXPORT_CLASS_MAP flow-export event-type all destination x.x.x.x

I installed Scrutinizer on a new host, waited a while and then tried it. I could see the Terminated flow template. I then tried again a couple of hours later and the Terminated flow template had disappeared (I can only see Create and Denied no XLate).

So, I have no idea why it did work and then stopped.