- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
- Information About NSEL
- Licensing Requirements for NSEL
- Prerequisites for NSEL
- Guidelines and Limitations
- Configuring NSEL
- Configuring NSEL Collectors
- Configuring Flow-Export Actions Through Modular Policy Framework
- Configuring Template Timeout Intervals
- Changing the Time Interval for Sending Flow-Update Events to a Collector
- Delaying Flow-Create Events
- Disabling and Reenabling NetFlow-related Syslog Messages
- Clearing Runtime Counters
- Monitoring NSEL
- Configuration Examples for NSEL
- Where to Go Next
- Additional References
- Feature History for NSEL
Configuring NetFlow Secure Event Logging (NSEL)
This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL.
Information About NSEL
The ASA and ASASM support NetFlow Version 9 services. For more information about NetFlow services, see the “RFCs” section.
The ASA and ASASM implementations of NSEL provide a stateful, IP flow tracking method that exports records that indicate significant events in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are used to export data about flow status and are triggered by the event that caused the state change.
The significant events that are tracked include flow-create, flow-teardown, flow-denied (excluding those flows that are denied by EtherType ACLs), and flow-update. In addition, the ASA and ASASM implementation of NSEL generates periodic NSEL events and flow-update events to provide periodic byte counters over the duration of the flow. These events are usually time-driven, which makes them more in line with traditional Netflow; however, these events may also be triggered by state changes in the flow.
Each NSEL record has an event ID and an extended event ID field, which describes the flow event.
The ASA and ASASM implementations of NSEL provide the following major functions:
- Tracks flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data records.
- Triggers flow-update events and generates appropriate NSEL data records.
- Defines and exports templates that describe the progression of a flow. Templates describe the format of the data records that are exported through NetFlow. Each event has several record formats or templates associated with it.
- Tracks configured NSEL collectors and delivers templates and data records to these configured NSEL collectors through NetFlow over UDP only.
- Sends template information periodically to NSEL collectors. Collectors receive template definitions, normally before receiving flow records.
- Filters NSEL events based on the traffic and event type through Modular Policy Framework, then sends records to different collectors. Traffic is matched based on the order in which classes are configured. After a match is found, no other classes are checked. The supported event types are flow-create, flow-denied, flow-teardown, flow-update, and all. Records can be sent to different collectors. For example, with two collectors, you can do the following:
– Log all flow-denied events that match access list 1 to collector 1.
– Log all flow-create events to collector 1.
– Log all flow-teardown events to collector 2.
– Log all flow-update events to collector 1.
Using NSEL and Syslog Messages
Table 78-1 lists the syslog messages that have an equivalent NSEL event, event ID, and extended event ID. The extended event ID provides more detail about the event (for example, which ACL—ingress or egress—has denied a flow).
Note Enabling NetFlow to export flow information makes the syslog messages that are listed in Table 78-1 redundant. In the interest of performance, we recommend that you disable redundant syslog messages, because the same information is exported through NetFlow. You can enable or disable individual syslog messages by following the procedure in the “Disabling and Reenabling NetFlow-related Syslog Messages” section.
Note When NSEL and syslog messages are both enabled, there is no guarantee of chronological ordering between the two logging types.
Licensing Requirements for NSEL
|
|
---|---|
Prerequisites for NSEL
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
Supports IPv6 for the class-map, match any and class-default commands. The match access-list commands only support IPv4 access lists.
Additional Guidelines and Limitations
- If you have previously configured flow-export actions using the flow-export enable command, and you upgrade to a later version, then your configuration is automatically converted to the new Modular Policy Framework flow-export event-type command, which is described under the policy-map command.
- Flow-export actions are not supported in interface-based policies. You can configure flow-export actions in a class-map only with the match access-list, match any, or class-default commands. You can only apply flow-export actions in a global service policy.
- To view bandwidth usage for NetFlow records (not available in real-time), you must use the threat detection feature.
Configuring NSEL
This section describes how to configure NSEL and includes the following topics:
- Configuring NSEL Collectors
- Configuring Flow-Export Actions Through Modular Policy Framework
- Configuring Template Timeout Intervals
- Changing the Time Interval for Sending Flow-Update Events to a Collector
- Disabling and Reenabling NetFlow-related Syslog Messages
- Clearing Runtime Counters
Configuring NSEL Collectors
To configure NSEL collectors, enter the following command:
What to Do Next
See the “Configuring Flow-Export Actions Through Modular Policy Framework” section.
Configuring Flow-Export Actions Through Modular Policy Framework
To export NSEL events by defining all classes with flow-export actions, perform the following steps:
|
|
|
---|---|---|
|
Defines the class map that identifies traffic for which NSEL events need to be exported. The flow_export_class argument is the name of the class map. |
|
flow_export_acl
|
Configures the access list to match specific traffic. The flow_export_acl argument is the name of the access list. |
|
|
||
|
Defines the policy map to apply flow-export actions to the defined classes. The flow_export_policy argument is the name of the policy map. If you create a new policy map and apply it globally according to Step 6, the remaining inspection policies are deactivated. |
|
|
Defines the class to apply flow-export actions. The flow_export_class argument is the name of the class. |
|
hostname (config-pmap-c)# flow-export event-type all destination 209.165.200.230 |
Configures a flow-export action. The event_type keyword is the name of the supported event being filtered. The flow_export_host argument is the IP address of a host. The destination keyword is the IP address of the configured collector. |
|
|
Adds or edits the service policy globally. The flow_export_policy argument is the name of the policy map. |
What to Do Next
Configuring Template Timeout Intervals
To configure template timeout intervals, enter the following command:
What to Do Next
See the “Changing the Time Interval for Sending Flow-Update Events to a Collector” section.
Changing the Time Interval for Sending Flow-Update Events to a Collector
To change the time interval at which periodic flow-update events are to be sent to a collector, enter the following command:
What to Do Next
Delaying Flow-Create Events
To delay the sending of flow-create events, enter the following command:
What to Do Next
See the “Disabling and Reenabling NetFlow-related Syslog Messages” section.
Disabling and Reenabling NetFlow-related Syslog Messages
To disable and reenable NetFlow-related syslog messages, perform the following steps:
What to Do Next
See the “Clearing Runtime Counters” section.
Clearing Runtime Counters
To reset runtime counters, enter the following command:
|
|
---|---|
|
What to Do Next
See the “Monitoring NSEL” section.
Monitoring NSEL
You can use syslog messages to help troubleshoot errors or monitor system usage and performance.You can view real-time syslog messages that have been saved in the log buffer in a separate window, which include an explanation of the message, details about the message, and recommended actions to take, if necessary, to resolve an error. For more information, see the “Using NSEL and Syslog Messages” section.
NSEL Monitoring Commands
To monitor NSEL, enter one of the following commands:
Examples
The following example shows how to display flow-export counters:
The following example shows how to display the flow-export active configuration:
The following example shows how to display the flow-export delay configuration:
The following example shows how to display the flow-export destination configurations:
The following example shows how to display the flow-export template configuration:
The following example shows how to display flow-export syslog messages:
The following example shows how to display current syslog message settings:
Configuration Examples for NSEL
The following examples show how to filter NSEL events, with the specified collectors already configured:
- flow-export destination inside 209.165.200.2055
- flow-export destination outside 209.165.201.29 2055
- flow-export destination outside 209.165.201.27 2055
Log all events between hosts 209.165.200.224 and hosts 209.165.201.224 to 209.165.200.230, and log all other events to 209.165.201.29:
Log flow-create events to 209.165.200.230, flow-teardown events to 209.165.201.29, flow-denied events to 209.165.201.27, and flow-update events to 209.165.200.230:
Log flow-create events between hosts 209.165.200.224 and 209.165.200.230 to 209.165.201.29, and log all flow-denied events to 209.165.201.27:
Note You must enter the following command:
hostname (config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27
for flow_export_acl, because traffic is not checked after the first match, and you must explicitly define the action to log flow-denied events that match flow_export_acl.
Log all traffic except traffic between hosts 209.165.201.27 and 209.165.201.50 to 209.165.201.27:
Where to Go Next
To configure the syslog server, see Chapter77, “Configuring Logging”
Additional References
For additional information related to implementing NSEL, see the following sections:
Related Documents
|
|
---|---|
Information about the implementation of NSEL on the ASA and ASASM |
Cisco ASA 5500 Series Implementation Note for NetFlow Collectors See the following article at https://supportforums.cisco.com/docs/DOC-6113. |
See the following article at https://supportforums.cisco.com/docs/DOC-6114. |
RFCs
|
|
---|---|
Feature History for NSEL
Table 78-2 lists each feature change and the platform release in which it was implemented..