Today we will be having a look at Cisco Netflow configuration on an ASA firewall. We will be using PRTG Network Monitoring, from Paessler, which is a free netflow collector and analyzer that supports 10 sensors, which you can download from here.
Installing PRTG is very straight forward, it's all point and click, so I will save you all the obvious screenshots and dive right in.
What is Netflow?
Netflow was designed by Cisco to collect IP network traffic. This data can then be analysed for source, destination, protocol, class of service etc, and uses a flow cache, Flow Collector and a Flow analyser to present the data in an understandable way.Cisco ASA Netflow configuration
Firstly you'll need at least ASA 8.2.1, and ASDM 6.2.1. I am using ASA version 9.0(3) and ASDM version 7.1(6).The Netflow settings in ASDM are located in Configuration > Logging > NetFlow
Click on Add and specify the IP address of the server running the Netflow software, and specify a port of 2055.
The next step is to start throwing all of our traffic at the netflow collector. To do this we must set up a service policy rule.
Firewall > Service Policy Rules and click on Add.
Select "Global - applies to all interfaces" and keep the default name of global-class
Select Source and Destination IP addresses (uses ACL) and click Next
For the Source and Destination select "any", and for the service select ip (I did also add icmp, icmp/echo and icmp/echo-reply)
On the next page select the NetFlow tab, click on add and select the Netflow collector IP to the one we configured in the first step, making sure that we click Send. Click OK.
Lastly click on "Finish"
Creating a Netflow sensor on PRTG for Cisco ASAs
Hopefully your firewall should have already been picked up through its own ping tests. If not click on Devices and select add a device. We can either create a new group, or add it to an exisiting group. Give the new device a meaning full name, and then you can click on Add Sensor.Select NetFlow V9, and click on "Add This"
Give the sensor a name, and set the "Receive NetFlow Packets on UDP Port" to the same port we configured on the ASA (2055). Set the sender IP to the ASAs interface IP address, and set the "Active Flow Timeout (Minutes) to something (I have used 30). To get some decent data I also set the channel configuration for Infrastructure to "Detail":
Give it a little time for the collector to get some data, five minutes or so should do, and hopefully you should start seeing some data:
(the above screenshot references a different sensor number to the one above it - but don't worry about that - I just set up additional sensors to get a screenshot).
You can also drill down into the sensor and see the top protocols:
It's pretty quick to start getting some good information out of your firewalls using NetFlow, and PRTG.
There are a number of Netflow systems out there, if you are good with Linux then there are free ones available.
netflow is a very powerful, and potentially cheap way to have a fully fledged network monitoring system.