Configuring NetFlow Using NSEL
You can configure Cisco ASA to forward NetFlow events by using NSEL.
- Log in to the Cisco ASA device command-line interface (CLI).
Type the following command to access privileged EXEC mode:
Type the following command to access global configuration mode:
Disable the output object name option:
Type the following command to enable NetFlow export:
flow-export destination <interface-name> <ipv4-address or hostname> <udp-port>
Note: IBM® QRadar® typically uses port 2055 for NetFlow event data on QRadar QFlow Collectors. You must configure a different UDP port on your Cisco Adaptive Security Appliance for NetFlow by using NSEL.
<interface-name> is the name of the Cisco Adaptive Security Appliance interface for the NetFlow collector.
<ipv4-address or hostname> is the IP address or host name of the Cisco ASA device with the NetFlow collector application.
<udp-port> is the UDP port number to which NetFlow packets are sent.
Type the following command to configure the NSEL class-map:
Choose one of the following traffic options:
To configure a NetFlow access list to match specific traffic, type the command:
match access-list flow_export_acl
To configure NetFlow to match any traffic, type the command:
match anyNote: The Access Control List (ACL) must exist on the Cisco ASA device before you define the traffic match option in Configuring NetFlow Using NSEL.
Type the following command to configure the NSEL policy-map:
Type the following command to define a class for the flow-export action:
Type the following command to configure the flow-export action:
flow-export event-type all destination <IP address>
Where <IP address> is the IP address of QRadar.Note: If you are using a Cisco ASA version before v8.3 you can skipConfiguring NetFlow Using NSEL as the device defaults to the flow-export destination. For more information, see your Cisco ASA documentation.
Type the following command to add the service policy globally:
service-policy flow_export_policy global
Exit the configuration:
Save the changes:
You must verify that your collector applications use the Event Time field to correlate events.