A feature not typically associated with the Cisco Adaptive Security Appliance is its ability to send NetFlow records to a variety of collectors. Netflow can not only provide an excellent network analysis tool, but a steady stream of the associated records yields a valuable baseline for implementing anomaly detection, particularly using the Cisco MARS appliance. This post will highlight the ASDM screens used to configure this feature.
Shown below is the initial screen used to enable general NetFlow processing; note that it is initiated using the Device Management>Logging section. The first field at the top is for NetFlow templates, introduced in version 9. A template describes the format of subsequently sent flow records. The check box below that time interval is to provide a more economic reporting by merely transmitting the flow teardown event for short-lived flows. This screen shot was taken after the Add button was clicked; note that the source interface, IP address, and destination port need to be specified.
At the bottom of the screen is the option to disable redundant syslog messages to avoid duplicate reporting of the same flow events being recorded by NetFlow. Conspicuously absent from this screen is the ability to specify the version of NetFlow as can be done with an IOS router. As a result, sadly, a MARS appliance cannot be used as a collector for these messages, as it currently only supports versions 5 and 7.
Now that we’ve looked at the “global properties” screen for NetFlow, the next step is to specify the “interesting traffic”. This is accomplished by using the Service Policy Rule Wizard in ASDM. Just out of curiosity, I attempted to do this by using the Quality of Service field known as DSCP (Differentiated Services Code Point) and I received the following error message:
After I complied with the note and configured an ACL-defined flow, clicking on the NetFlow tab resulted in the following screen:
Here the administrator has the option to send all NetFlow records or just the flow creation, denies or teardown records. Clicking on the Manage button will cause the same entry fields to be displayed as in the first screenshot.
Since NetFlow version 9 is the specific revision level supporting the increasingly implemented IPv6, it remains to be seen if either the ASA code will be modified to allow sending of older versions of NetFlow or whether the Cisco MARS code will be modified to accept this one.
Author: Doug McKillip