Configuring NetFlow Using NSEL

You can configure Cisco ASA to forward NetFlow events by using NSEL.

Procedure

  1. Log in to the Cisco ASA device command-line interface (CLI).
  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Disable the output object name option:

    no names

  5. Type the following command to enable NetFlow export:

    flow-export destination <interface-name> <ipv4-address or hostname> <udp-port>

    Where:

    • <interface-name> is the name of the Cisco Adaptive Security Appliance interface for the NetFlow collector.

    • <ipv4-address or hostname> is the IP address or host name of the Cisco ASA device with the NetFlow collector application.

    • <udp-port> is the UDP port number to which NetFlow packets are sent.

    Note: IBM QRadar typically uses port 2055 for NetFlow event data on QRadar QFlow Collectors. You must configure a different UDP port on your Cisco Adaptive Security Appliance for NetFlow by using NSEL.
  6. Type the following command to configure the NSEL class-map:

    class-map flow_export_class

  7. Choose one of the following traffic options:

    To configure a NetFlow access list to match specific traffic, type the command:

    match access-list flow_export_acl

  8. To configure NetFlow to match any traffic, type the command:

    match any

    Note: The Access Control List (ACL) must exist on the Cisco ASA device before you define the traffic match option in Configuring NetFlow Using NSEL.
  9. Type the following command to configure the NSEL policy-map:

    policy-map flow_export_policy

  10. Type the following command to define a class for the flow-export action:

    class flow_export_class

  11. Type the following command to configure the flow-export action:

    flow-export event-type all destination <IP address>

    Where <IP address> is the IP address of QRadar.

    Note: If you are using a Cisco ASA version before v8.3 you can skipConfiguring NetFlow Using NSEL as the device defaults to the flow-export destination. For more information, see your Cisco ASA documentation.
  12. Type the following command to add the service policy globally:

    service-policy flow_export_policy global

  13. Exit the configuration:

    exit

  14. Save the changes:

    write mem

    You must verify that your collector applications use the Event Time field to correlate events.