Author Profile - Michael Patterson is currently the Product Manager of Scrutinizer NetFlow and sFlow Analyzer at Plixer International. Prior to Plixer Michael worked for Cabletron Systems as the Director for outsourced network management.
Plixer International is one of the fastest growing network performance measuring companies in the industry. Merged with Somix Technologies, Inc. in 2006 and founded in 1999, the team at Plixer works on many of the largest networks in the world. Many companies still spend the majority of their time focusing on reactive issues and individual equipment problems. Plixer solutions provide a holistic view of the entire enterprise regardless of equipment vendor.
The Cisco ASA and NetFlow
Who or what is clogging up a connection has always been a strength of NetFlow Analysis. The Cisco ASA is a different beast when it comes to NetFlow.
Collecting and reviewing the NetFlow information from your ASA Firewall will allow you to find out:
- Who is making the most connections and causing the most traffic
- Which applications are consuming the most bandwidth
- What traffic is taking advantage of ToS and DSCP
- Much much more …
Introducing NSEL
The ASA sends out something called NSEL (NetFlow Security Event Logs). Inside NSEL you will find syslog type messages as well as traditional NetFlow v9 information. The NetFlow collector has to know how to parse and report on the traditional data that admin’s are looking for as well as the new syslog type messages.
Some of the possible reports include:
- Conversations: which hosts are sending data to each other broken out by application
- Hosts: which hosts are sending the most data or creating the most flows
- Hosts to Hosts: which hosts are sending data to each other the most regardless of application or protocol
- Flow Trend: how many flows is the ASA processing per minute
- Protocols: how much, TCP, UDP, ICMP etc is passing through
- Utilization: how much traffic is being passed through (similar to a basic throughput graph).
Setting up the ASA to export NetFlow can be tricky as well.
Get started with Cisco ASDM 6.2
To setup the NetFlow export from your ASA which must be running version 8.2.1 or newer, bring up the Cisco ASDM (Adaptive Security Device Manager) and setup the exporters:
Then, go to the Firewall configuration and create and ACL matching ANY to ANY:
Edit the ACL above, apply a NetFlow rule action for the event types (e.g. ALL). Up to five collectors can be entered. See below:
As traffic passes through the firewall, NetFlow will start getting exported for the different template types.
Where is the NetFlow from the ASA?
Scrutinizer displays the NetFlow by clicking on the word ‘Graph’ when viewing the NetFlow Templates. Beware, not all templates can be graphed so, expect an error message. Here is how Scrutinizer v7 displays the templates:
Access to the raw messages is also possible on ALL the templates by clicking on “Flow View”. Explaining the data displayed would take this post to a whole new level:
I’m not sure anyone is interested? ☺ Let me know.
It’s all in the templates
NetFlow v9 uses templates and this is the big difference between v9 and the most popular version of NetFlow which is v5. NSEL uses Flexible NetFlow which is based on NetFlow v9. The three most popular event types that trigger a NetFlow record are.
- flow-create
- flow-denied
- flow-teardown
NOTE: The above ‘no XLATE’ template is created when no NAT translation is done. IPv6 also comes in as unique templates.
These views all came from the shareware version of Scrutinizer.
The only difference between the shareware version and the commercial is that it will not reset all the statistics and views at every midnight.
In lieu of getting caught up in how or when each message is sent out, just enjoy being able to look at this data with Scrutinizer v7.
Below is an incomplete list of features:
- Captures Cisco NetFlow, sFlow and other flow technologies and uses that data to monitor the overall network health.
- Reports on which hosts, applications, protocols, etc. are using the most network traffic.
- Exclude transport layer protocol types per router, interface or even globally across all routers / switches. Useful for excluding VPN traffic which Cisco routers sometimes double export in NetFlow.
- Network maps in flash or Google with clickable links that change color based on utilization.
- IP Grouping support and subnet trends.
- IPv6 Support as well as support for Flexible NetFlow, NBAR and NSEL (NetFlow Security Event Logs).
- Applications defined by combination of ports and IP addresses.
- Extensive flexibility for VoIP reports.
It does all this and was recently released as freeware. Download Scrutinizer here.
Note - These items are available for the commercial version of Scrutinizer - :
Flow Analytics is a company wide reporting solution for:
Archiving of Scrutinizer Database beyond 24 hours (i.e. infinite years of data can be saved at selectable intervals). The free version of Scrutinizer drops all data at midnight.
Top Applications, Conversations, Flows, Protocols, Domains, Countries, Subnets, etc. across dozens of routers and switches
Any saved report in Scrutinizer can be configured with a threshold to trigger an alarm
DNS resolution becomes automated and a constant process
Reporting and alarming on internal network SYN, NULL, FIN, XMAS Scans, RST/ACK worms, P2P, ICMP Unreachable, illegal IP addresses, excessive Multicast traffic, known compromised internet hosts and more.
Distributed Collectors can be used to analyze traffic enterprise wide from a central location. Dozens of distributed collectors supported to support companies with thousands of flow exporting devices (i.e. routers and switches).
Service Providers can take advantage of the SPM (Service Provider Module), which allows permissions to be configured per router/switch/interface, etc. per login account. Customizable billing solutions for over usage and invoicing.
For more information, please visit our company website here.
Recent Comments