Enable NetFlow on Cisco ASA

Reading Time: < 1 minute

Some time ago, Cisco has implemented NetFlow 9 for its popular ASA 5500 security and firewall appliances. But this implementation of NetFlow is quite different from what other Cisco devices provide. It is called “Netflow Security Event Logging” (NSEL) and was originally introduced on the Cisco ASA 5580. Now, with the latest firmware (ASA 8.2.x or later), it is now extended to other Cisco ASA models.

The data to be exported is defined by a Service policy which brings flow data to the analyzer server. The following code works fine if your ASA still uses the default global policy.

policy-map global_policy
class class-default
flow-export event-type all destination 1.2.3.4 6343
Note In the above example, the destination « 1.2.3.4 » is the IP address of the BLËSK monitoring server. The « 6343 » corresponds to the Local Collector UDP Port number configured on BLËSK.

If you are using the ASDM GUI, please go to Configuration-Firewall->Service Policy Rules and Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.

Please keep the following facts in mind:

  • You will not see the data 100% live: The NSEL monitoring sends a NetFlow data packet only after a connection has been torn down. If a connection is active for minutes or hours, the ASA sends one NetFlow packet with the total of the connection.
  • NetFlow 9 monitoring on the ASA comes at a price: CPU load. For most ASA with low to medium traffic this should not be an issue. But if your ASA already shows considerable CPU load think twice before using NetFlow.