\n\tASA supports netflow exports against some of Netflow collectors, for example ntopng. <\/p>\n
\n\tHere I'm describing steps required to configure netflow statistical export using ASA CLI.<\/p>\n
\n\tTo configure netflow export we must apply at least followig commands:<\/p>\n
\n\t <\/p>\n
\n\t1. Configure the flow export<\/p>\n
\r\nflow-export <\/b>destination<\/span> <\/span>interface-name ipv4-address <\/em>| <\/span>hostname udp-port<\/em><\/pre>\n\n\tin my case <\/p>\n
\r\nflow-export destination vlan255 192.168.255.19 6343<\/pre>\n\n\t <\/p>\n
\n\t2. No we will specify an access-list which will define an interesting traffic which will be exported<\/p>\n
\r\naccess-list NAME ACL_TYPE ACTION PROTOCOL SOURCE WILDCARD DESTINATION WILDCARD <\/pre>\n\n\tin my case i'm wishing to export statistics about all flows<\/p>\n
\r\naccess-list ACL-NETFLOW-EXPORT<\/span> permit ip any any<\/pre>\n\n\t <\/p>\n
\n\t3. and then we define a class map which will test the traffic against above defined ACL<\/p>\n
\r\nclass-map NAME_OF_FLOW_CLASS<\/pre>\n\n\tin my case<\/p>\n
\r\nclass-map <\/span>NETFLOW-EXPORT-CLASS<\/span><\/pre>\n\n\t <\/p>\n
\n\t4. and set a match condition<\/p>\n
\r\nmatch access-list ACL-NAME<\/pre>\n\n\tin my case <\/p>\n
\r\nmatch access-list ACL-NETFLOW-EXPORT<\/span><\/pre>\n\n\talternatively if we suppose to match any traffic, we do not need the ACL and then we may use match any <\/em>statement<\/p>\n\r\nmatch any<\/pre>\n\n\t <\/p>\n
\n\t5. now we define a policy map to apply flow-export actions to the defined class. Enters policy map configuration mode and define a policy<\/p>\n
\n\tNote: <\/span><\/strong>check the note on step 8 to continue….<\/p>\n\r\n\u200b<\/strike>policy-map NAME-of-EXPORT-POLICY<\/pre>\n\n\tin my case<\/p>\n
\r\npolicy-map NETFLOW-EXPORT-POLICY<\/span><\/pre>\n\n\t <\/p>\n
\n\t6. then map the netflow-export-class class to the defined netflow-policy policy.<\/p>\n
\r\nclass NAME-OF-EXPORT-CLASS<\/pre>\n\n\tin my case<\/p>\n
\r\nclass NETFLOW-EXPORT-CLASS<\/span><\/pre>\n\n\t <\/p>\n
\n\t7 . and within policy class define a flow-export action.<\/p>\n
\r\nflow-export event-type <\/b>event-type<\/em> destination <\/b>flow_export_host1<\/em>[<\/span>flow_export_host2<\/em>]<\/span><\/pre>\n\n\tin my case<\/p>\n
\r\nflow-export event-type all destination 192.168.255.19<\/pre>\n\n\trepeating this steps (6-7) we may define several export classes.<\/p>\n
\n\t <\/p>\n
\n\t8. and finally we apply the service policY to a global policy<\/p>\n
\r\nservice-policy FLOW-EXPORT-POLICY global<\/pre>\n\n\tin my case<\/p>\n
\r\nservice-policy NETFLOW-EXPORT-POLICY <\/span>global<\/span><\/span><\/pre>\n
\n\n\tNote:<\/strong><\/p>\n\n\tPlease, make an attention,<\/strong> ASA does not allow to have more as the one global policy, and depends on the configuration some global policy can be already present and exists there. Please check it<\/em><\/p>\n\r\nkis-asa-5515X# sh run | begin service-policy\r\nservice-policy global_policy global\r\n...\r\n...<\/pre>\n\n\t <\/p>\n
\n\tIf there is one, applying your new policy as a new global policy you will get follwoing error message: <\/em><\/p>\n\r\nERROR: Policy map global_policy is already configured as a service policy<\/pre>\n\n\t <\/p>\n
\n\ttherefore we need to map the class with existing global policy<\/p>\n
\r\npolicy-map global_policy\r\n class NETFLOW-EXPORT-CLASS\r\n flow-export event-type all destination 192.168.255.19<\/pre>\n
\n\n\t <\/p>\n
\n\t <\/p>\n
\n\tOptionally we may configure some additional tasks<\/p>\n
\n\t <\/p>\n
\n\t9. set up an export time interval, default is 1.min<\/p>\n
\r\nflow-export template timeout-rate SECONDS<\/pre>\n\n\tI will keep it on default value.<\/p>\n
\n\t <\/p>\n
\n\t10. or to set up an export time, which will instruct ASA to export short (shorter as defined time interval) and identical flows as a single flow<\/p>\n
\r\nflow-export delay flow-create SECONDS<\/pre>\n\n\tin my case 10 second<\/p>\n
\r\nflow-export delay flow-create 10<\/pre>\n\n\t <\/p>\n
\n\t11. To disable and reenable NetFlow-related syslog messages that have become redundant<\/p>\n
\r\nlogging flow-export-syslogs disable<\/pre>\n\n\t <\/p>\n
\n\tFinal configuration<\/h2>\n\n\tversion 1 – no existing global policy<\/h2>\n\r\nflow-export destination vlan255 192.168.255.19 6343\r\naccess-list ACL-NETFLOW-EXPORT permit ip any any\r\n\r\nclass-map NETFLOW-EXPORT-CLASS\r\n match access-list ACL-NETFLOW-EXPORT\r\n\r\npolicy-map NETFLOW-EXPORT-POLICY\r\n class NETFLOW-EXPORT-CLASS\r\n flow-export event-type all destination 192.168.255.19\r\n\r\nservice-policy NETFLOW-EXPORT-POLICY global\r\nflow-export delay flow-create 15\r\nlogging fl\u200bow-export-syslogs disable<\/pre>\n\n\t <\/p>\n
\n\tversion 2 – if there exist a global policy<\/h2>\n
\n\tfor example named as the global_policy<\/em><\/p>\n\r\nflow-export destination vlan255 192.168.255.19 6343\r\naccess-list ACL-NETFLOW-EXPORT permit ip any any\r\n!\r\nclass-map NETFLOW-EXPORT-CLASS\r\n match access-list ACL-NETFLOW-EXPORT\r\n!\r\npolicy-map global_policy\r\n class NETFLOW-EXPORT-CLASS\r\n flow-export event-type all destination 192.168.255.19\r\n!\r\n! not needed to apply it again\r\n! service-policy NETFLOW-EXPORT-POLICY global\r\n!\r\nflow-export delay flow-create 15\r\nlogging fl\u200bow-export-syslogs disable<\/pre>\n\n\t <\/p>\n
\n\tVerification and tshooting<\/h2>\n
\n\tshow flow-export counters<\/p>\n
\n\tshow service-policy global flow ip host [source IP] host [dest IP]<\/p>\n
\n\tshow access-list flow_export_acl<\/p>","protected":false},"excerpt":{"rendered":"
\n\tASA supports netflow exports against some of Netflow collectors, for example ntopng. <\/p>\n
\n\tHere I'm describing steps required to configure netflow statistical export using ASA CLI.<\/p>","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[749],"tags":[],"class_list":["post-664","post","type-post","status-publish","format-standard","hentry","category-asa-en"],"taxonomy_info":{"category":[{"value":749,"label":"ASA"}]},"featured_image_src_large":false,"author_info":{"display_name":"admin","author_link":"https:\/\/nil.uniza.sk\/en\/author\/admin\/"},"comment_info":10,"category_info":[{"term_id":749,"name":"ASA","slug":"asa-en","term_group":0,"term_taxonomy_id":747,"taxonomy":"category","description":"","parent":747,"count":5,"filter":"raw","cat_ID":749,"category_count":5,"category_description":"","cat_name":"ASA","category_nicename":"asa-en","category_parent":747}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=664"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/664\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}