Configuring NetFlow Using NSEL
You can configure Cisco ASA to forward NetFlow events by using NSEL.
Procedure
- Log in to the Cisco ASA device command-line interface (CLI).
-
Type the following command to access privileged EXEC mode:
enable
-
Type the following command to access global configuration mode:
conf t
-
Disable the output object name option:
no names
-
Type the following command to enable NetFlow export:
flow-export destination <interface-name> <ipv4-address or hostname> <udp-port>
Where:
-
<interface-name> is the name of the Cisco Adaptive Security Appliance interface for the NetFlow collector.
-
<ipv4-address or hostname> is the IP address or host name of the Cisco ASA device with the NetFlow collector application.
-
<udp-port> is the UDP port number to which NetFlow packets are sent.
Note: IBM QRadar typically uses port 2055 for NetFlow event data on QRadar QFlow Collectors. You must configure a different UDP port on your Cisco Adaptive Security Appliance for NetFlow by using NSEL. -
-
Type the following command to configure the NSEL class-map:
class-map flow_export_class
-
Choose one of the following traffic options:
To configure a NetFlow access list to match specific traffic, type the command:
match access-list flow_export_acl
-
To configure NetFlow to match any traffic, type the command:
match any
Note: The Access Control List (ACL) must exist on the Cisco ASA device before you define the traffic match option in Configuring NetFlow Using NSEL. -
Type the following command to configure the NSEL policy-map:
policy-map flow_export_policy
-
Type the following command to define a class for the flow-export action:
class flow_export_class
-
Type the following command to configure the flow-export action:
flow-export event-type all destination <IP address>
Where <IP address> is the IP address of QRadar.
Note: If you are using a Cisco ASA version before v8.3 you can skipConfiguring NetFlow Using NSEL as the device defaults to the flow-export destination. For more information, see your Cisco ASA documentation. -
Type the following command to add the service policy globally:
service-policy flow_export_policy global
-
Exit the configuration:
exit
-
Save the changes:
write mem
You must verify that your collector applications use the Event Time field to correlate events.